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Abstract 

We present a hierarchical framework for analysing propositional linear- 
time temporal logic (PTL) to obtain standard results such as a small 
model property, decision procedures and axiomatic completeness. Both 
finite time and infinite time are considered and one consequent benefit of 
the framework is the ability to systematically reduce infinite-time reason- 
ing to finite-time reasoning. The treatment of PTL with both the operator 
until and past time naturally reduces to that for PTL without either one. 
Our method utilises a low-level normal form for PTL called a transition 
configuration. In addition, we employ reasoning about intervals of time. 
Besides being hierarchical and interval-based, the approach differs from 
other analyses of PTL typically based on sets of formulas and sequences of 
such sets. Instead we describe models using time intervals represented as 
finite and infinite sequences of states. The analysis relates larger intervals 
with smaller ones. Steps involved are expressed in Propositional Interval 
Temporal Logic (PITL) which is better suited than PTL for sequentially 
combining and decomposing formulas. Consequently, we can articulate 
issues in PTL model construction of equal relevance in more conventional 
analyses but normally only considered at the metalevel. We also describe 
a decision procedure based on Binary Decision Diagrams. 

Beyond the specific issues involving PTL, the research is a significant 
application of ITL and interval-based reasoning and illustrates a general 
approach to formally reasoning about sequential and parallel behaviour 
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in discrete linear time. The work also includes some interesting repre- 
sentation theorems. In addition, it has relevance to hardware description 
and verification since the specification languages PSL/Sugar (now IEEE 
standard 1850) and 'temporal e' (part of IEEE candidate standard 1647) 
both contain temporal constructs concerning intervals of time as does the 
related System Verilog Assertion language contained in System Verilog, an 
extension of the IEEE 1364-2001 Verilog language. 

Keywords: temporal logic, interval temporal logic, small models, decision pro- 
cedures, axiomatic completeness 

1 Introduction 

Following the seminal paper by Pnueli [61], temporal logic [20,40,44] has become 
one of the main formalisms used in computer science for reasoning about the 
dynamic behaviour of systems. In particular, propositional linear-time temporal 
logic (PTL) and some variants of it have been extensively studied and used. 
In a relatively recent and significant article, Lichtenstein and Pnueli [43] give a 
detailed analysis of PTL which is meant to largely subsume and supercede earlier 
ones. Indeed, the work appears to have the rather ambitious goal of coming 
close to offering the last word on the subject and is perhaps best described in 
the authors' own words: 

The paper summarizes work of over 20 years and is intended to 
provide a definitive reference to the version of propositional temporal 
logic used for the specification and verification of reactive systems. 

The version of PTL considered by Lichtenstein and Pnueli has discrete time and 
past time. Both a decision procedure and axiomatic completeness are investi- 
gated and a new simplified axiom system is presented. The approach makes use 
of semantic tableaux and throughout the presentation the treatment of PTL 
with past-time operators runs in parallel with the future-only version. The au- 
thors choose in particular to use tableaux since they offer a basis for uniformly 
showing axiomatic completeness and also obtaining a practical decision proce- 
dure. The extensive material about past time is distinctly marked so that one 
can optionally delete it to obtain an analysis limited to the future fragment of 
PTL. 

Wc present a novel framework for investigating PTL which significantly dif- 
fers from the methods of Lichtenstein and Pnueli and earlier treatments such 
as [27,28,40,73]. It is used to obtain standard results such as a small model 
property, a practical decision procedure and axiomatic completeness. However, 
instead of relying on semantic tableaux, filtration and other previous techniques, 
our method is based on an interval-oriented analysis of certain kinds of low-level 
PTL formulas called transition configurations. An important feature of this ap- 
proach is that it provides a natural hierarchical means of reducing full PTL to 
this subset and also reduces both PTL with the until operator and past time 
to versions without them. Therefore the overwhelming bulk of the analysis only 
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needs to deal PTL with neither until nor past time. Moreover, the analysis 
of PTL with infinite time naturally reduces to that for PTL with just finite 
time. The low-level formulas also have associated practical decision procedures, 
including a simple symbolic one based on Binary Decision Diagrams (BDDs) [8] 
which we have implemented. 

The basic version of PTL used here is described in detail in Sect. [3] but we 
will now briefly summarise some of the features in order to be able to overview 
some key aspects of our work. We postpone the treatment of until and past 
time in order to later handle them in a natural hierarchical manner. Both finite 
and infinite time are permitted, whereas most versions of PTL deal solely with 
the latter. One reason for including finite time is to allow us to naturally capture 
parts of our infinite-time analysis within PTL formulas concerning finite-time 
subintervals. The only two primitive temporal operators initially considered are 
O (strong next) and O (eventually) although some others are definable in terms 
of them (e.g., □ (henceforth) and + (strict eventually)). 

Our analysis of PTL extensively employs intervals of time which are rep- 
resented as finite and countably infinite sequences of states and described by 
formulas in a propositional version of Interval Temporal Logic (ITL) [29,48-51] 
(see also [38]) referred to as PITL. By using a hierarchical, interval-oriented 
framework, the approach differs from that of Lichtenstein and Pnueli and pre- 
vious ones which in general utilise sets of formulas and sequences of such sets 
(also referred to as paths). We instead relate transition configurations to se- 
mantically equivalent formulas in PITL. Time intervals facilitate an analysis 
which naturally relates larger intervals with smaller ones. The process of doing 
this can be explicitly expressed in PITL in a way not possible within previous 
frameworks which lack both a formalisation of intervals and logical operators 
concerning various kinds of sequential composition of intervals. 

Let us now informally consider as an example a simplified presentation of 
how we later establish the existence of periodic models for certain kinds of low- 
level formulas involving infinite time. The analysis for temporal logic formulas 
involving infinite time needs to consider formulas of the form □ + A, where A 
is itself a restricted kind of temporal logic formula. Here □ + A is true for an 
interval, that is, the interval satisfies □ + A, iff the interval has infinite length 
and A itself is satisfied by an infinite number of the interval's suffixes. We want 
to show that if □ 0+ A is satisfied by some interval, then there also exists a 
periodic interval which satisfies □ 0+ A. We first show a sufficient condition 
motivated by ^4's restricted syntax which ensures that □ 0+ A is semantically 
equivalent to the PITL formula A u . This formula is true on an interval if the 
interval has infinite length and can be split into an infinite sequence of finite 
intervals each satisfying A. We then select one of these finite intervals and join 
u> copies of it together to obtain a periodic interval satisfying A u and hence 
also the original formula □ 0+ A. Furthermore, after showing the existence of 
bounded models for A, we can then establish similar properties for A^ and hence 
also □ 0+ A. 

We believe that our interval-based analysis complements existing approaches 
since it provides a notational way to articulate various issues concerning PTL 
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model construction which are equally relevant within a more conventional anal- 
ysis but are normally only considered at the metalevel. It also illustrates some 
general techniques for compositional specification and proof in discrete linear 
time which are applicable here. This all fits nicely with one of the main purposes 
of a logic which is to provide a notation for explicitly and formally expressing 
reasoning processes. In addition, a number of the temporal logic formulas en- 
countered can even be used with little or no change as input to a implementation 
of a PTL decision procedure which supports both finite and infinite time. The 
analysis itself is performed without the need to add any fundamentally new con- 
cepts to PITL but docs require a reader's willingness to acquire some familiarity 
with PITL and various fairly general issues concerning interval-based reasoning. 

Another feature of our approach is that it readily generalises to a finite- 
time analysis of an important subset of PITL called Fusion Logic (FL), which 
was previously used by us in [57] to hierarchically show the completeness of an 
axiom system for PITL. The analysis of FL uses a reduction of FL formulas to 
PTL ones. The prototype implementation of our PTL decision procedure also 
supports FL. A brief introduction to FL is given in Ml 3. 41 since FL is a natural 
extension of our framework for studying PTL and furthermore demonstrates 
another connection between PTL and intervals. We plan in future work to give 
a more detailed discussion of the decision procedure for FL as well as some other 
issues concerning FL. 

Our preliminary work in [58] contains an earlier description of this material 
but was limited to showing axiomatic completeness for PTL without past time. 
In the mean time, we have significantly extended the notation, methods and 
their scope of application. The structure of presentation has also been refined. 

The use of intervals here seems to go well with a growing general awareness 
even in industry of the desirability for temporal logics which go beyond conven- 
tional point-based constructs to also handle behavioural specifications involving 
intervals of time. As evidence for this we mention the Property Specification 
Language PSL/Sugar [63]. This is a modified version of a language Sugar [3] 
developed at IBM/Haifa. PSL/Sugar has been ratified as IEEE standard 1850 
with the purpose of precisely expressing a hardware system's design proper- 
ties so that they can then be tested using simulation and model checking. It 
includes a temporal logic with regular expressions and other operators for se- 
quential composition. The hardware description language System Verilog [66] is 
an extension of the established IEEE 1364-2001 Verilog language and includes 
temporal assertions similar to those in PSL/Sugar. System Verilog has itself 
been ratified as a standard by Accellera Organization, Inc. which also hopes to 
obtain ratification from the IEEE. 

In addition, the IEEE Design Automation Standards Committee has recently 
approved a project to produce a candidate standard for Verisity Ltd.'s [68] e 
language which is intended for testing and verification 1 . A subset of e called 
temporal e was influenced in part by ITL [35,47,69]. The IEEE Standards 
Association has assigned the project the number 1647 [37]. 

1 Verisity has been acquired by Cadence Design Systems [11]. 
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Structure of Presentation 

Let us now summarise the structure of the rest of this paper. Section |2 men- 
tions some related work and gives a comparison with our approach. Section [3 
presents the version of PTL we use. Section 21 summarises the prepositional 
version of ITL which we use in the analysis. Section [5] introduces low level PTL 
formulas called transition configurations and relates them to some semantically 
equivalent propositional ITL formulas which simplify the subsequent analysis. 
Section [5] proves the existence of small models for transition configurations. 
Section shows how to relate the satisfiability of the two main kinds of tran- 
sition configurations with simple interval-oriented tests. Section [H] deals with a 
practical BDD-based decision procedure for transition configurations. Section^ 
concerns axiomatic completeness for an important subset of PTL in which the 
only temporal operator is O (next). Section ^| looks at a PTL axiom system 
and axiomatic completeness for transition configurations. Section 1111 presents 
formulas called invariants and invariant configurations which together serve as 
a bridge between the previously mentioned transition configurations and arbi- 
trary PTL formulas. Section^] discusses how to generalise the previous results 
to work with arbitrary PTL formulas. Section 1131 hierarchically extends our 
approach to deal with both the temporal operators until and past time. It also 
briefly looks at a superset of PTL called Fusion Logic. Section [21 concludes 
with some brief discussion. 

2 Background 

Temporal logics have become a popular topic of study in theoretical computer 
science and are also being utilised by industry to locate faults in digital circuit 
designs, communication protocols and other applications. Issues such as small 
models, proof systems, axiomatic completeness and decision procedures for PTL 
(almost always limited to infinite time) have been extensively investigated by 
Gabbay et al. [27], Wolper [73], Kroger [40], Goldblatt [28], Lichtenstein and 
Pnucli [43] , Lange and Stirling [42] , Pucella [64] (who also considers PTL with 
finite time) and others. French [26] elaborates on the presentation by Gabbay 
et al. [27]. 

Vardi and Wolper [67] and Bcrnholtz, Vardi and Wolper [6] describe decisions 
procedures for some temporal logics based on a reduction to w-automata. They 
do not consider axiomatic completeness. Wolper [71] presents a tutorial on such 
decision procedure for PTL with infinite time. 

Bcn-Ari et al. [4,5], Wolper [70,72] and Banicqbal and Barringer [2] develop 
closely related proofs of completeness for logics which include PTL as a subset 
or are branching-time versions of it. The book by Rcschcr and Urquhart [65] is 
an early source of tableau-based completeness proofs for temporal logics. The 
survey by Emerson [20] includes material about axiom systems for both linear 
and branching-time temporal logic. 

Fisher [23,24] (see also later work by Fisher, Dixon and Peim [25] and Bolo- 
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tov, Fisher and Dixon [7]) presents a normal form for PTL called Separated 
Normal Form (SNF) which consists of formulas having the syntax Df\.Ai, 
where each A4 can be one of the following: 

start D \JJ C Of\ a k a D 0\J d l d O f\ b k b D Ol . 

Here each particular k a , ki,, I, l c and Id is a literal (i.e., a proposition variable or 
its negation). Some versions of SNF permit past-time constructs or have other 
relatively minor differences. Applications include theorem proving, executable 
specifications and representing w-automata. We mention SNF here since it is 
a PTL normal form which somewhat resembles what we call invariants and 
formally introduce in Sect. Illl 

3 Overview of PTL 

This section summarises the basic version of PTL used here. Later on in Sect. 1131 
we augment PTL with the operator until and past time. 

3.1 Syntax of PTL 

We now describe the syntax of permitted PTL formulas. In what follows, p is 
any prepositional variable and both X and Y denote PTL formulas: 

p true XvY O X ( "strong next" ) O X ( "eventually" ) . 

We include true as a primitive so as to avoid a definition of it which contains 
some specific variable. This is not strictly necessary. Other conventional logic 
operators such as false, X a Y and X D Y (X implies Y) are defined in the 
usual way. Also, DX ("henceforth") is defined as -1O-1X. 

3.2 Semantics of PTL 

The version of PTL considered here uses discrete, linear time which is repre- 
sented by intervals each consisting of a sequence of one or more states. More 
precisely, an interval a is any finite or infinite sequence of one or more states 
do 7 o~i, . . . . Each state o~i in a maps each prepositional variable p, q, . . . to one 
of the boolean values true and false. The value of p in the state o~i is denoted 
CTi(p). A finite interval a has an interval length \o~\ > which equals the number 
of states minus 1 and is hence always greater than or equal to 0. We regard the 
smallest nonzero interval length 1 as a unit of (abstract) time. For example, an 
interval with 6 states has interval length 5 or equivalently 5 time units. These 
units do not correspond to any particular notion of physical time. The interval 
length of an infinite interval is taken to be u>. The term subinterval refers to 
any interval obtained from some contiguous subsequence of another interval's 
states. 
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We call a one-state interval (i.e., interval length 0) an empty interval. A 
two-state interval (i.e., interval length 1) is called a unit interval. Both kinds of 
intervals play an important role in our analysis. 

The notation a \= X denotes that the interval a satisfies the PTL formula 
X. We now give a definition of this using induction on X's syntax: 

• Propositional variable: a |= p iff p is true in the initial state (To (i.e., 
00 (p) = true). 

• True: a |= true trivially holds for any a. 

• Negation: a \= ^X iff a tf= X. 

• Disjunction: a \= X v Y iff a \= X or a |= Y. 

• Next: a\=OX iff a' |= X, 

where a contains at least two states and a' denotes the suffix subinterval 
0102 . . . which starts from second state <j\ in a . 

• Eventually: a \= O X iff a' \= X, 

for some suffix subinterval a' of a (perhaps a itself). 

Tablc^shows a variety of other useful temporal operators which arc definable 
in PTL. ft includes operators for testing whether an interval is finite or infinite 
and whether the interval has exactly one state or two states. Most of the 
operators only become relevant when finite intervals are permitted. Therefore, 
readers who are just familiar with conventional PTL and infinite time will have 
previously encountered only a few of the operators. 

Note: Some readers will (quite reasonably) prefer to skim Tabled for now 
and only later consult it in more detail when the various operators are actually 
used. 

Figure ^ assists in the understanding of Tabled by illustrating a number of 
the operators through sample formulas and intervals. In the figure, the logical 
values true and false are respectively abbreviated as "t" and "f " . In what 
follows, we frequently use instead of □ since we need to test pairs of adjacent 
states in a interval. The operator is better suited for this since it does not "run 
off the end" when examining finite intervals. The fourth example in Figure ^ 
serves as an example of this feature. As a consequence, is easier to work with 
in our interval-based analysis as is later shown in Theorem II II 

Definition 1 (Satisfiability and Validity) For any interval a and PTL for- 
mula X, if a satisfies X (i.e., o \= X holds), then X is said to be satisfiable, 
denoted as =1 X. A formula X satisfied by all intervals is valid, denoted as 
\=X. 

We now define an important subset of PTL involving the operator O: 

Definition 2 (Next Logic) The set o/PTL formulas in which the only prim- 
itive temporal operator is O is called Next-Logic (NL). The subset of NL in 
which no O is nested within another O is denoted as NL 1 . 
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Standard derived PTL operators: 

Henceforth 

Eventually in strict future 



o+x l f oox 



□ + X 



def 



<o+^x 



Henceforth in strict future (not used here) 



PTL operators primarily for finite intervals: 

def 



more = O true 

def 

empty — ^more 

def 

®x = ^o^x 

, def 

skip = O empty 

def 

X? = X a empty 

def 



More than one state 
Only one state (empty interval) 
Weak next (same as more D O X) 
Exactly two states (unit interval) 
Empty interval with test 
Unit interval with test 



PTL operators for finite and infinite intervals: 

Finite interval 
Infinite interval 



_ def 

finite — O empty 



inf — -ifinite 



def 



sfin X = O (empty a X) Strong test of final state 



def 



fin X = 0(empty D X) Weak test of final state 

def 

= O(more a X) Sometime before the very end 



O X 



def 



H X = □(more D X) Henceforth except perhaps at very end 



Table 1: Some definable PTL operators 
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skip a sfin ->p 



p:t f 



0$(p D O^p) 

A "I $(p A Op) 

Op A -i<&-ip 

A Op A Onp 

B(p D O^p) 

a -i D(p D O-ip) 

@(p D O -ip) 
a s/m p 



p:t t f 



p: t t t f 



p: t f t f f t 



p; t t t t f t 



Figure 1: Some examples of formulas with derived PTL operators 

For example, the NL formula p a Oq is in NL , whereas the NL formula p a 
0(<7 v Op) is not. 

The variables T, T" and T" denote formulas in NL 1 . 

Definition 3 (Tautologies) A tautology is any formula which is a substitu- 
tion instance of some valid nonmodal propositional formula. 

For example, the formula OI v OF D OF is a tautology since it is a sub- 
stitution instance of the valid nonmodal formula |= p v q D q. It is not hard 
to show that all tautologies are themselves valid since intuitively a tautology is 
any valid formula which does not require modal reasoning to justify its truth. 

Convention for variables denoting individual formulas and sets of for- 
mulas: In what follows, the variable w refers to a state formula, that is, a 
formula with no temporal operators. Furthermore, PROP denotes the set of all 
state formulas. For any finite set of variables V, PROPy denotes the set of all 
state formulas only having variables in V. Likewise, the set PTLy denotes the 
set of all formulas in PTL only containing variables in V and NLy denotes the 
set of all formulas in NL 1 only having variables in V. For example, the formula 
p a O q is in PTLj p q y but not in PTL{ p }. 

3.3 Example of the Hierarchical Process 

Our analysis of PTL reduces arbitrary PTL formulas to lower level ones with a 
much more restricted syntax. The next PTL formula serves as a simple example 
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to motivate some of the notation and conventions later introduced: 

□ O p a □ O -ip . 

This is reducible to the formula □Jaw, where / and w are given below: 

/: (ri e Op) a (r 2 ee 0->ri) a (r3 = O-ip) a (r^ = O-T3) 
u>: -if2 a ->r4 . 

The auxiliary variables n , . . . , f4 provide a natural way to eliminate the nesting 
of temporal operators within other temporal operators in /. We call the con- 
junction / an invariant and the conjunction □ I a wan invariant configuration. 
Both are formally introduced later in Sect. ^2 It can be shown that the original 
formula □ Op a □ O —\p is satisfiable iff the invariant configuration □ I a w is. 

When analysing behaviour in finite time, we further transform the invariant 
configuration □ I a w to another special kind of conjunction □ T a w a finite, 
where T and w are as follows: 

T: (n ee (p v On)) a (r 2 = (-iri v Or 2 )) 

a (r 3 ee (— ip v Or 3 )) a (r4 ee (-ir 3 v Or4)) 

w: -ir 2 a -i7"4 . 

Here Fs first conjunct n ee Op is replaced in T by the O-free formula r% = (p v 
Ori). The remaining conjuncts in T similarly avoid having any O constructs. 
We call T a transition formula and □ T a iu a finite a transition configuration 
(formally defined in Section [SJ • The formula T is in fact a formula in the 
important subset of PTL called NL 1 (previous formally defined in Definition [5J 
in which the only temporal constructs are O operators not nested within other 
O operators. In addition, in finite-time intervals the PTL formulas □ / and 

□ T are semantically equivalent. Moreover, it can be shown that the original 
formula □ O p a □ O -<p is satisfiable in finite time iff the transition configuration 

□ T a w a finite is satisfiable. As is later shown in Sect. [21 NL 1 formulas such 
as T play a fundamental role in our analysis of transition configurations. 

3.4 Notation for Accessing Parts of Conjunctions 

From the examples just given it can be seen that we often manipulate formulas 
which are conjunctions. The next three definitions provide some helpful notation 
for denoting the number of conjuncts of such a formula and for accessing one or 
more of them. 

Definition 4 (Size of a Conjunction) For any conjunction C of zero or more 
conjuncts, let the notation \C\ denote the number of C's conjuncts. 

Definition 5 (Indexing of a Conjunction's Conjuncts) For each k : 1 < 
k < \C\, we let C[k] denote the k-th conjunct. 

Observe that if a conjunction C has length \C\ = 0, there are no conjuncts to 
be indexed. 
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Definition 6 (Parts of a Conjunction) Suppose C is a conjunction and k 
and I are natural numbers such that 1 < k < \C\ and < I < \C\. The notation 
C[k : I] denotes the conjunction of consecutive conjuncts in C starting with C[k] 
and finishing with C[l], inclusive, i.e., C[k] a ■ • • a C'[l] (which contains l — k + 1 
conjuncts) . 

Note that for any conjunction C, the formula C[l : 0] denotes true and C[l : \C\] 
is identical to C. Also, for any k : 1 < k < \C\, both C[k] and C[k : k] refer to 
the same conjunct. 

4 Propositional Interval Temporal Logic 

We now describe the version of quantifier-free propositional ITL (PITL) used 
here for systematically analysing transition configurations. More on ITL can be 
found in [29,48-52,55-57] (see also [38]). The same discrete-time intervals are 
used as in PTL. In addition, all PTL constructs are permitted as well as two 
other ones. Hence, any PTL formula is also a PITL formula. 

Here is the syntax of PITL's two extra constructs, where A and B are them- 
selves PITL formulas: 

A; B {chop) A* {chop-star) . 

The semantics of the other constructs in PITL is as in PTL and is therefore 
omitted here. 

Before defining the semantics of chop and chop-star, we introduce some 
notation for describing subintervals of an interval a. For natural numbers i, j 
with i < j < \o~\, let a i: j denotes the subinterval with starting state <Ji and final 
state <7j and having interval length j —i (i.e., j — i + 1 states). Furthermore, if 
a is an infinite interval, let denote the (infinite) suffix subinterval starting 
with state a,-. 

The formula A; B is true on a (i.e., a |= A; B) iff one of the following holds: 

• For some natural number i : < i < \o~\, the interval a can be divided 
into two subintervals o~o-.i and o~i-.\ a \ sharing the state o~i such that both 
o~Q-.i \= A and cr.;.^ |= B hold. 

• The interval a itself has infinite length and a |= A holds. 

The formula A* is true on a (i.e., a \= A*) iff one of the following holds: 

• The interval a has finite length and there exists some natural number 
n > and finite sequence of natural numbers Iq < h < ■ ■ ■ < l n where 
lo = and l n = \a\, such that for each i : < i < n, o"; j: ; i+1 |= A holds. 

The behaviour of chop-star on empty intervals is a frequent source of con- 
fusion and it is therefore important to note that any formula A* (including 
false*) is true on a one-state interval. This is because in the semantics of 
chop-star for a one-state interval we can always set n = and therefore 
ignore the values of variables in the interval a. 
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<i>A 



def 



A] true 



A is true in some initial sub-interval 



a A 



def 



A is true in all initial sub-intervals 



® A 



def 



finite] A] true A is true in some subinterval 
-i <S> -lA A is true in all subintervals 



®A 



dcf 



Table 2: Some useful derived PITL operators 



• The interval a has infinite length and there exists some n > and finite 
sequence of natural numbers Iq < h < • ■ ■ < l n where = 0, such that 
for each i : < i < n, ai i -i i+1 \= A holds and also (7i n -.u> \= A holds. 

• The interval a has infinite length and there exists some countably infinite 
strictly ascending sequence of natural numbers Iq < h < • ■ • where Iq = 0, 
such that for each i : i > 0, <Ji i -i i+1 (= A holds. 

Figure [3 pictorially illustrates the semantics of chop and chop-star in both 
finite and infinite time and also shows some simple PITL formulas together with 
intervals which satisfy them. For some sample formulas we include in paren- 
theses versions using conventional PTL logic operators which were previously 
introduced in Sect. [3] 

We make use of the following definitions of two straightforward forms of 
iteration expressible with chop and chop-star: 



In addition, for any n > 0, we define A n to be the formula empty if n = and 
otherwise to be A^A" 1 ^ 1 . The constructs A- n and A <n are defined to be the 
disjunctions \J k<n A k and \J k<n A k 1 respectively. 

Other derived operators are also possible. Table shows some especially 
useful ones. 

The notions of satisfiability and validity already introduced in Definition ^ 
for PTL naturally generalise to PITL. 

Let PITLy be the set of all PITL formulas only having variables in V. 

The next definition introduces a special kind of state formula which is in- 
dispensable for interval-based reasoning. It plays the role that sets of formulas 
typically do in other analyses of PTL. 

Definition 7 (Atoms and V- Atoms) An atom is any finite conjunction in 
which each conjunct is some propositional variable or its negation and no two 
conjuncts share the same variable. The set of all atoms is denoted Atoms. 
The Greek letters a, (3 and 7 denote individual atoms. For any finite set of 
propositional variables V , let Atomsy be some set of 2^ logically distinct atoms 
containing exactly the variables in V . We refer to such atoms as I/-atoms. 



A + l! f A; A* 



., , def 

A = 



(A a finite)* a inf . 
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Informal (b) Informal semantics for 

semantics for infinite time 

finite time 



p;^p 



skip; p 
(Op) 

finite ; —*p 



p:t f f 

P T 

p: t t f 

p: f t t f 

skip p 



p: f t t f t f 
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Figure 2: Informal PITL semantics and examples 
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For example, we can let Atoms { p ^ q } be the set of the four logically distinct atoms 
shown below: 

p a q p a —>q p a q —>p a ~>q . 

One simple convention is to assume that the prepositional variables in an atom 
occur from left to right in lexical order. For any finite set of variables V, this 
immediately leads to a suitable set of 2l v different F-atoms. 

5 Transition Configurations 

Starting with a finite set of variables V, an NLy formula T and a state formula 
init in PROPy, we consider small models, a decision procedure and axiomatic 
completeness for certain low-level formulas referred to here as transition config- 
urations. These formulas play a central role in our approach. The analysis of 
arbitrary PTL formulas can be ultimately reduced to that of transition config- 
urations. 

Before actually formally defining transition configurations, we need to in- 
troduce the concept of a conditional liveness formula which is a specific kind 
of conjunction necessary for reasoning about liveness properties involving infi- 
nite time. The definition therefore makes use of some general notation already 
introduced in Definitions 21 ED f° r manipulating conjunctions. 

Definition 8 (Conditional Liveness Formulas) A conditional liveness for- 
mula L is a conjunction of\L\ implications L[l] a • • • a L[|L|]. Each implication 
has the form w D <©> w' , where w and w' are two state formulas. For convenience, 
we let 77l[w denote the left operand of the k-th implication in L. Similarly, 0L[k] 
denotes the operand of the <S> formula in the k-th implication L[k] 's right side. 
Therefore, for each k : 1 < k < \L\, the implications L[k] and 7?L[fc] D 
denote the same formula. 

For any V -atom a and any k : 1 < k < \L\, if the formula a a r]i,w\ is 
satisfiable, we say that a enables L's k-th implication L[k\. 

Here is a sample conditional liveness formula: 

{(p v —>q) D <8> -<p) a (q D ®(p = ~~<q)) a (true D <8> (p D q)) . (1) 

Note that <i» behaves the same as O on infinite intervals. However, in finite 
intervals ^, like its dual @, ignores the final state. In principle, either O or 
O can be used in conditional liveness formulas and the choice between them 
appears to be largely a matter of taste. Nevertheless, we choose to use O in part 
because it facilitates an interesting generalisation of both conditional liveness 
formulas and another kind of formula called an invariant which is introduced 
later in Sect. ^2 This generalisation will be mentioned in >I13.3I In addition, 
the application of naturally complements our extensive use of its dual @. 
Here is the definition of transition configurations: 

Definition 9 (Transition Configurations) A transition configuration is a 
formula of the form □ T a X , where the formula T is in NLV, and the PTLy 
formula X has one of the four forms shown below: 
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Type of transition 
configuration 



PITLy formula 



Where 
proved 



Infinite-time 



Finite-time 



(($T)* a init a finite); (T a empty) 
(($ T)* a init a finite); 



Theorem IT7I 
Theorem 1261 



(($T)* a L a (V ^ V)) 



Final 



T a w a empty 
(($T)* a a a X) 



straightforward 
Theorem El 



Periodic 



Table 3: Reduction of transition configurations to PITLy formulas 



Type of transition configuration 



Syntax of X 



Finite-time 
Infinite-time 
Final 
Periodic 



init a finite 
init a □ 0+ L 
w a empty 
a a L a □ 0+(a a L) 



Here init is a state formula in PROPy which corresponds to some initial con- 
dition, w is some state formula in PROPy, L is a conditional liveness formula 
in PTLy and a is a V -atom. If init is the formula true, it can be omitted. The 
same applies with w. 

For example, the conjunction □(more D (p = Op)) a p a finite is a finite-time 
transition configuration which is true exactly for finite intervals in which p is 
always true. 

Note: In the course of analysing transition configurations, we will assume that 
V, T, init and L are fixed. 

We will show that finite-time and infinite-time transition configurations are 
equivalent to certain PITLy formulas for which we can more readily establish 
such things as the existence of periodic models, small models, a decision pro- 
cedure and axiomatic completeness. Table |21 shows the corresponding PITLy 
formula for each kind of transition configuration and where the equivalence of 
the two is proved. Here V <— V denotes that the initial value of each variable 
occurring in the set of variables V equals its final value. It can be expressed as 
the PTLy formula finite D f\ V £v( v = fi n v ) anc ^ * s semantically equivalent to 
the disjunction \J aeAtomSv {a a fin a). 

Theorem 1361 will furthermore establish that the infinite-time transition con- 
figuration is satisfiablc iff the next PTL formula is satisfiable in finite time: 



In order to perform interval-based analysis on transition configurations, we 
need to relate □ T to the PITL formula ($T)*. Now the PTL formula ST, 
which is very similar to □ T, was previously defined in Table ^ to be true on an 
interval iff T is true in all of the interval's nonempty suffix subintervals. It turns 



BTa init a 0(L a finite a more a (V <— V)) . 
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Figure 3: Illustration of equivalence of ($T)* and ST 

out that due to T being in NL 1 , the formula ($ T)* is semantically equivalent to 
S T. Intuitively, this is because an NL 1 formula cannot probe past the second 
state of an interval. The next lemma formalises this: 

Lemma 10 Let a and a' be two nonempty intervals which share the same first 
two states (i.e., ctq = (t' and o~\ = a[). Then, for any formula T in NL 1 , a 
satisfies T iff a' satisfies T. 

Proof Induction on T's syntax ensures that it cannot distinguish between a 
and a' . □ 

Consequently if two nonempty intervals share the same first two states, 
then the truth value of T for both intervals is identical. Figure E2 illustrates this 
with two instances of an interval containing 4 states. The second version uses 
the concrete NL 1 formula p D O ->p and shows specific values for the proposi- 
tion variable p. Both ($T)* and @T test each pair of adjacent states. The 
equivalence consequently permits us to express ($T)* in PTL by means of H T. 
In addition, it is often useful to express as ($T)* because the later turns 
out to be much more suitable for interval-based reasoning involving sequential 
composition and decomposition. 

We now formally establish the semantic equivalence of the formulas ($T)* 
and S T: 

Theorem 11 The PITL formula ($T)* and the PTL formula @T are seman- 
tically equivalent and hence the equivalence ($T)* = T is valid. 

Proof Given an interval er, we can put each two-state (unit) subinterval in one- 
to-one correspondence with the suffix (nonempty) subinterval which shares the 
first two states. Now a satisfies ($ T)* iff T is true on all of er's unit subintervals. 
Similarly, a satisfies H T iff T is true on all of cr's nonempty suffix subintervals. 
By the previous Lemma llUl a given unit subinterval satisfies T iff the matching 
suffix (nonempty) subinterval satisfies T. Consequently, the overall interval 
satisfies ($ T)* iff it satisfies BT. □ 

It is not hard to check that on a one-state (empty) interval, H T is trivially 
true. On a two-state (unit) interval, it is semantically equivalent to the formula 
T itself. 
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Also note that the PTL formula □ T is semantically equivalent to the PTL 
formula ST a fin T. This fact and Theorem II II together establish that □ T is 
also semantically equivalent to the PITL formula ($ T)* a fin T. Therefore, the 
□ T formula in transition configurations can be readily re-expressed in PITL as 
the conjunction ($T)* a fin T. This will assist our interval-based analysis of 
transition configurations. 

Remark 12 We have discussed the important semantic equivalence of the for- 
mulas ($T)* and H T with quite a few people who themselves have a considerable 
amount of experience with both PTL and PITL. Originally we thought that this 
amounted to a straightforward application of temporal logic. However, to our 
surprise, these people found the equivalence and its applications to be nontrivial 
and interesting. For this reason, we have designated the statement of the equiv- 
alence of($T)* and ST to be a theorem (i.e., the previous Theorem \ll\) . rather 
than merely a lemma. 

Here is a corollary of Theorem II II for infinite time: 

Corollary 13 The two formulas UT and ($T)* are semantically equivalent on 
infinite intervals and hence the implication inf D UT = ($T)* is valid. 

Proof This readily follows from Theorem II II and the semantic equivalence of 
T and □ T on infinite intervals. □ 

The next two Lemmas an d El subsequently provide a basis for relating 
finite-time transition configurations to final ones and also for relating infinite- 
time transition configurations to periodic ones. 

Lemma 14 For any PITL formula A, the next equivalence is valid: 



PROOF We first establish the validity of the PTL formula Up = Hp A ODp 
which itself leads to the validity of the formula Up a <> q = BpAOfDpAij). 
We then substitute T into p and A into q. Finally, Theorem permits us to 
replace UT by ($T)*. □ 

Lemma 15 For any state formula w and PITL formula A, the next equivalence 
is valid: 



Proof Lemma [21 ensures that □ T a OA is semantically equivalent to the 
conjunction (ST)* a 0(UT a A). This is itself semantically equivalent to the 
next PITL formula: 



|= UTaOA 



($T)* a 0(UT a A) . 



UTawkOA = (($T)* a ic a finite); (DTa4) . 



(2) 



(($ T)* a finite); (($ T)* a UT a A) . 
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Now □ T trivially implies ST which by Theorem II II is scmantically equivalent 
to ($ T)* . This consequently permits us to simplify the subformula (S T)* a □ T 
into □ T to obtain the next valid equivalence: 

|= UTaOA = (($T)* a finite); (UT a A) . 

Simple temporal reasoning permits us to suitably add the state formula w to 
each side to obtain the validity of the formula @ . □ 

5.1 Analysis of Finite-Time Behaviour 

The following Lemma IT51 and Theorem 1 1 71 concern reducing a finite-time tran- 
sition configuration to the associated scmantically equivalent PITL formula in 
Table |21 which is easier to later analyse: 

Lemma 16 The following equivalence is valid for finite-time transition config- 
urations and relates them to final configurations: 

\= □ T a init a finite = (($T)* a init a finite); (OT a empty) . (3) 

Proof The formula finite is defined to be O empty. Therefore Lemma 1151 
ensures the validity of the equivalence . □ 

Theorem 1 1 71 builds on Lemma ITS1 by reducing a finite-time transition config- 
uration to a chop formula in PITL which is even easier to analysis because its 
righthand operand is in NL 1 : 

Theorem 17 The following equivalence is valid for finite-time transition con- 
figurations: 

|= □ T a init a finite = (($ T)* a init a finite); (T a empty) . 

Proof This readily follows from Lemma ^j] and the fact that in an empty 
interval, the formulas □ T and T are equivalent. □ 

Note that the PITL formula (($ T)* a init a finite); (T a empty) can also be ex- 
pressed as the semantically equivalent PITL formulas init?; (($ T)* a finite); Tl 
and init a ($T)* a sfin T. Each form has its benefits. We prefer T a empty 
over the equivalent Tl since some readers might get confused upon seeing the 
operator ? with an operand which is a temporal formula even though this is 
permitted in PITL. 

5.2 Analysis of Infinite-Time Behaviour 

We now turn to analysing infinite-time transition configurations. The first step 
involves relating them to periodic transition configurations. The next Lemma lTHl 
does this: 
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Lemma 18 The following equivalence is valid for infinite-time transition con- 
figurations: 

□ T a init a □ 0+ L (4) 
= {{$T)* a init a finite); \J (□ T a a a L a □ + (a a L)) . 

OL^Atomsy 

Proof Observe that in an infinite interval if L is always eventually true then 
for at least one of the finite number of y-atoms, the conjunction a a L is 
also always eventually true. Therefore simple temporal reasoning yields that 
□ + L is semantically equivalent to the disjunction \j a ^Atoms v a ^ + ( a a L). 
The subformula □ <> + (a a L) can be re-expressed as 0(a a L a □ + (a a L)) 
so the next equivalence concerning □ + L is valid: 

|= DO+L = OV oeAtom ,(aALADO+( flA L)) . (5) 

We then use Lemma IT51 to establish the equivalence below for some arbitrary 
V-&tom a: 

\= UT a init a 0(DT a a a L a DO+(a a L)) 

= (($ T)* a init a finite); (□ T a a a L a □ 0+(a a L)) . 

Some simple temporal reasoning involving chop and V yields the next valid 
equivalence: 

h □ T a init a O \/ aeMomsv (□ T a a a L a □ 0+(a a L)) (6) 
= (($ T)* a init a finite); \J aeAtomSv (□ T a a a L a □ 0+(a a L)). 

The combination of this and the previously mentioned semantic equivalence JSJ 
establishes the validity of the equivalence 10} . □ 

5.2.1 Reduction using Chop-Omega Operator 

Much of the remainder of the analysis consists of showing how to further reduce a 
periodic transition configuration OT a a a L a O + (a a L) to the semantically 
equivalent PITL formula (($T)* a a a L) u . A general class of formulas which 
includes a a L will now be described. For any PITL formula A in this class, the 
two formulas A a □ + A and A u will be shown to be semantically equivalent 
in Theoreml23l We first need to introduce a derived PITL operator which turns 
out to be useful for analysing periodic behaviour in infinite intervals. 

Definition 19 (The Operator O) For any PITL formula A, let the PITL 

formula <J> A is defined to be (A a finite); true. Therefore, 'PA true on an 
interval iff A is true on some finite subinterval starting at the beginning of the 
overall interval. 

Note that <£> A can also be expressed with the derived operator <!> (itself previ- 
ously defined in Table [21 as <i>(A a finite). 

It is worthwhile to define a notion of fixpoints of the operator <^: 
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Definition 20 (Fixpoints of the Operator O) A PITL formula A is a fix- 
point of <J> iff the equivalence A = <3> A is valid. 

Fixpoints of O are easier to move out of subintcrvals than are arbitrary formulas. 
Incidentally, for any PITL formula A, the formula <J> A is a trivial fixpoint of <i> 
since <s> A and <J> <s> A are semantically equivalent. We will shortly show that all 
conditional liveness formulas are <5>-fixpoints and later use this in the analysis 
of infinite intervals. 

We extensively investigate fixpoints of various temporal operators and their 
application to compositional reasoning in [52-55]. 

The next lemma characterises a broad syntactic class of formulas which are 
<3>-fixpoints and is easy to check: 

Lemma 21 Every state formula is a ® -fixpoint. Furthermore, if the PITL 
formulas A and B are <£> -fixpoints, then so are the PITL formulas A a B, 
Av B, OA and OA. 

Lemma 22 Every conditional liveness formula is a <£> -fixpoint. 

Proof A conditional liveness formula is a conjunction of implications each 
which has the form w D ®w' for some state formulas w and w' . If we re- 
place D and <©" by their definitions, then the implication reduces to the formula 
-iw v 0((Otrue) a w'). Lemma 1211 then ensures that this is a <i>-fixpoint. 
Consequently, the original implication w D <3> w' is one as well. Therefore by 
Lemma I2T1 the conjunction of such implications which constitutes a conditional 
liveness formula is also a <!>-fixpoint. □ 

Observe that by Lemmas |2] and 1221 the formula a a L is itself a <£>-fixpoint 
because both a and L are ❖-fixpoints. 

Now the formula a a L a DO + (q; a L) is itself an instance of the PITL 
formula A a □ <>+ A. We now proof in Theorem[52|that if A is a <£>-fixpoint, then 
the formula A a □ + A can be re-expressed as the semantically equivalent PITL 
formula A u . This will let us re-express a a L a □ 0+(a a L) as the semantically 
equivalent PITL formula (a a L) u . The establishment of this equivalence is a 
key step in the reduction of reasoning about infinite time behaviour to finite 
time behaviour and consequently proving the existence of periodic models for 
satisfiablc periodic transition configurations. 

Theorem 23 For any PITL formula A which is a -fixpoint, the next equiva- 
lence is valid: 

\= A a UO+ A = A u . (7) 

Proof Left side implies right side: Suppose that an interval a satisfies A a 

□ + A. Now this conjunction is semantically equivalent to the formula O A a 

□ + <s> A because A is a <J>-fixpoint. Therefore a also satisfies the formula O A a 

□ + <5> A. Furthermore, a is clearly an infinite interval due to the conjunct 
containing dO + . Therefore, a has an infinite number of finite subintervals 
which all satisfy A including some starting with cr's first state. An infinite 
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sequence of nonoverlapping finite-length subintervals all satisfying A can then 
be selected with the first one commencing at cr's first state. Consequently, a 
satisfies the PITL formula ((A a finite); true)" which is the same as (<J> A)" . 
This and the assumption that A is a <£-fixpoint yield that a satisfies A^ . 

Right side implies left side: Suppose that an interval a satisfies A w . There- 
fore a is an infinite interval and has an infinite number of finite subintervals 
all satisfying A, including one starting with cr's initial state. From this we can 
readily obtain the valid PITL implication shown below: 

(= A u D (A a finite); true a 0+ ((A a finite); true) . 
This can be re-expressed using <£> as follows: 

The assumption that A is a 3>-fixpoint then yields the desired validity of the 
semantically equivalent implication A u D A a □ 0+ A. 

The next Theorem 1241 relates any periodic transition configuration with its 
associated PITL formula shown in Table [3] 

Theorem 24 The next equivalence concerning a periodic transition configura- 
tion is valid: 

\= UT a a a L a nO+(a a L) = (($ T)* a a a L) u ■ (8) 

Proof Lemmas 12 1 1 and 1221 ensure that the formula a a L is itself a <£>-fixpoint 
because both a and L are <5>-fixpoints. Therefore Theorem [23] yields the validity 
of the equivalence a a L a □ + (a a L) = (a a L) u . Now we conjoin UT to 
each side of the equivalence. We then use the fact that UT and (ST)* are 
semantically equivalent in infinite time fCorollarv ll^J) so the equivalence below 
is valid: 

h DT a a a L a UO+( a a L) = ($ T)* a (a a L)^ . 

Now ($T)* a (a a LY is an instance of the PITL formula ($ B)* a C u which 
itself is semantically equivalent to (($£?)* a C) w . The intuition here is that 
both of them use $ B to test exactly all the two-state subintervals of the overall 
interval. Finally, we use this to re-express ($T)* a (a a L) u as (($T)* a a a 
thereby obtaining the validity of formula JSJ). □ 

The following Lemma 1251 concerning a disjunction of periodic transition con- 
figurations is needed to justify our reduction of the satisfiability of a infinite-time 
transition configuration to the associated PITLy formula shown in Table 

Lemma 25 The next equivalence is valid: 

(= V ae i,™ v ( D rA a AlADO+(aAl)) 

= ({%T)* a L a {V ^ V)Y . (9) 
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Proof Theorem 1241 ensures that the equivalence given below is valid: 
|= UT a a a L a nO+(a a L) = (($ T)* a a a L) w . 

Simple temporal reasoning establishes that the equivalence's righthand operand 
(($T)* a a a L) M can then be re-expressed as the formula a a (($T)* a L a 
(V <— V))". Some further simple reasoning about the operator y yields the 
validity of the equivalence ©. □ 

The equivalence of an infinite-time transition configuration with the associ- 
ated PITLy formula shown in Table is now established: 

Theorem 26 The following equivalence is valid for infinite-time transition con- 
figurations: 

\= □ T a nut a □ + L 

= (($T)* Ainit a finite); (($T)* a L a (V <- V))" . 

Proof This readily follows from Lemma ITS1 which relates infinite-time transi- 
tion configurations to periodic transition configurations and Lemma 1251 which 
re-expresses the disjunction of several periodic transition configurations using 
chop-omega. □ 



5.2.2 Fusion and Canonical Intervals 

Let us consider some general concepts and techniques concerning PITL and its 
notion of intervals. They will be extensively used later on. 

Definition 27 (Fusion) Let a and a' be two intervals. The definition of the 
fusion of them, denoted a o a' , has two cases, depending on whether a has finite 
length or not: 

• If a has finite length, we require that last state of a equals the first state of 
a' . The fusion of the a with a' is then the interval obtained by appending 
the two intervals together so as to include only one copy of the shared 
state. 

• Otherwise, the fusion is a itself, no matter what a' is. 

For example, suppose si, si and S3 are states. If a is the interval S1S2 and a' is 
the interval S2S3, then their fusion 000' equals the three-state interval S1S2S3, 
rather than the four-state interval S1S2S2S3 which concatenation yields. Note 
that when a has finite length and a and a' do not share the relevant state, then 
their fusion is undefined. If both a and a' are finite and compatible, then the 
interval 000' contains the total sum of states in a and a' minus one. Hence 
the interval length of a o a' equals the sum of the interval lengths of a and & ' . 
Pratt first defined fusion for describing the semantics of a process logic [62] and 
called it fusion product. 
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It is worth comparing chop and fusion. Fusion is a general operation de- 
finable for such things as strings (i.e., sequences of letters) or intervals (i.e., 
sequences of states). As used here, it starts with two suitable intervals and 
joins them together. In contrast, chop is a logical operator which starts with 
an overall interval and then tests for the existence of a way to split it into two 
fusible subintervals. Furthermore, the semantics of the chop operator can be 
defined using fusion, whereas fusion is for our purposes a semantic concept, not 
a logical construct. 

Here is a lemma relating chop with fusion: 

Lemma 28 A PITL formula A; B is satisfiable iff there exist two intervals a 
and a' such that the fusion of them a o a' is defined and one of the following is 
true: 

• The interval a has finite length, it satisfies A and the interval a' satisfies 
B. 

• The interval a has infinite length and it satisfies A. 

This lemma provides a way to reduce the problem of constructing an interval 
satisfying A; B to that of constructing intervals satisfying A and B. 

Before further reducing transition configurations involving infinite time, we 
introduce the notion of canonical intervals and discuss their use in relating 
the satisfiability of chop and chop-omega formulas with satisfiability of their 
operands. 

The next definition of a notion of canonical states and intervals together 
with the subsequent Lcmma l3*Ul will be extensively utilised to facilitate reasoning 
about intervals. 

Definition 29 (Canonical States and Intervals) For any finite set of vari- 
ables V and state s, we say that s is a 1^-state if s assigns each variable not in 
V the value false. 

Similarly, for any finite set of variables V and interval a , we say that a is 
a V-interval if a 's states all assign each variable not in V the value false . 

Furthermore, for any set of variables V , we can denote a finite V -state by 
the unique V -atom which the state satisfies. In addition, a V -interval can be 
denoted the unique sequence of V -atoms associated with its V -states. 

For example, for any T^-atoms a and (3, the two-atom sequence a(3 denotes 
a finite ^-interval with ^-states denoted by a and (3, respectively. Hence, 
a(3 |= X denotes that the two-state V-interval a/3 satisfies the formula X. If X 
is in PTLy, then a(3 \= X holds iff the conjunction a a 0/3? a X is satisfiable. 
Furthermore a single V-atom. can be regarded as a one-state ^-interval. For 
example, a X denotes that the one-state F-interval a satisfies X. For any 
X in PTLy, this is the case iff the conjunction a a X a empty is satisfiable. 
Similarly, the notation a(3a |= X denotes that the ^-interval a(3a, which has 
two identical states, satisfies the formula X. 

The next lemma ensures that any satisfiable PITLy formula is satisfied by 
some ^-interval. 
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Lemma 30 An interval a satisfies a PITLy formula A iff there exists a V- 
interval with the same number of states as a, agrees with a on the values of the 
variables in V and moreover satisfies A. 

Proof Let a 1 be the V-interval obtained from a by setting all variables not 
in the set V to false in each state. The semantics in PITL of A ignores such 
variables. □ 

The following lemma employs V-atoms and the PTL construct finite to 
express a simple sufficient condition which ensures that any two intervals which 
respectively satisfy the two parts of a chop formula with a particular syntax 
given in the lemma can be fused together into an interval which satisfies the 
overall chop formula. 

Lemma 31 For any V -atom a and PITLy formulas A and B, the following 
are equivalent: 

(a) The formula (A a finite); (a a B) is satisfiable. 

(b) The formulas A a sfin a and a a B are satisfiable. 

Proof (a) => (6): If some interval a satisfies the formula (A a finite); (a a B), 
then by the semantics of chop there exist two subintervals of a denoted here as 
a' and a" such that the subinterval a' satisfies A a finite and moreover if a' has 
finite length, then a" satisfies a a B. The right subformula finite in A a finite 
ensures that a' is indeed finite and therefore a" does satisfies a a B. 

(b) => (a): If the two formulas A a sfin a and a a B are satisfiable, then by 
Lemma 1201 some V-intervals a and a' satisfy them. Now a is finite due to the 
subformula sfin a. Also, the last state of a and the first state of a' both equal 
the V-state denoted by the V-atom a. Hence a and a' can be fused and the 
fusion a o a' satisfies the formula (A a finite); {a a B). □ 

5.2.3 Periodic Models and Reduction to Finite-Time Behaviour 

The remaining material in this section deals with relating transition configura- 
tions involving infinite time to other formulas involving periodicity as well as to 
formulas about finite time. The connections are interesting in themselves and 
also later utilised. 

The next Lemmas 1321 andl^Sl help to establish small models, decidability and 
axiomatic completeness for periodic transition configurations: 

Lemma 32 For any V-atom a and PITLy formula A, the following are equiv- 
alent: 

(a) The formula {a a A)^ is satisfiable. 

(b) The formula (a a A) m has a periodic model. 

(c) The formula a a A a O sfin a is satisfiable (in finite time). 
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Proof (a) (c): Suppose the interval a satisfies (a a Af . We can assume 
each iteration of a a A occurs in a nonempty, finite interval as expressed by the 
next valid equivalence: 



(= (a a A) 



(a a A a finite a more) 



Furthermore, each pair of adjacent iterations share a common state satisfying 
a and hence all have a true at the beginning and end as is captured by the 
following valid equivalence: 



Therefore the subformula a a A a finite a more a /m a is satisfiable (in finite 
time) and hence the semantically equivalent formula a a A a O s/m a is also 
satisfiable. 

(c) =>• (6): Suppose the interval a satisfies a a A a O sfin a. As a con- 
sequence of a being a V-atom and A being a PITLy formula together with 
Lemma |301 we can assume without loss of generality that a is a V-interval. We 
then readily fuse u instances of a together to obtain a periodic interval satisfying 
the formula (a a A) u . 

(b) (a): Clearly if some periodic interval satisfies (a a A) u , then this 
formula is satisfiable. □ 

Lemma 1331 shows that any satisfiable periodic transition configuration has 
a periodic model. Subsequently, Theorem 1361 establishes that any satisfiable 
infinite-time transition configuration has an ultimately periodic model (i.e., an 
interval with a periodic suffix) : 

Lemma 33 For any V -atom a, the following are equivalent: 

(a) The periodic transition configuration □ T a a a L a DO + (a a L) is 
satisfiable. 

(b) The periodic transition configuration □ T a a a L a DO^a a L) has a 
periodic model. 

(c) The formula ($T)* aciaLaO sfin a is satisfiable (in finite time). 

Proof Theorem |21 reduces the periodic transition configuration to the se- 
mantically equivalent PITLy formula (($T)* a a a L) w . We then utilise 
Lemma 1321 □ 

Lemma 34 For any V -atom a and PITLy formulas A and B, the following 
are equivalent: 

(a) The formula {A a finite)] (a a B) u is satisfiable. 

(b) The formula {A a finite)] (a a £>) w has an ultimately periodic model (i.e., 
an interval with a periodic suffix). 



(= (a a A) 



(a a A a finite a more a fin a) 



UJ 
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(c) The formula (A a finite); (a a B a O sfin a) is satisfiable (in finite time). 



Proof (a) => (c): If the formula (A a finite); (a a is satisfiable then the 
PITLy formula (A a finite); (a a B a O sfin of 1 is also satisfiable. From this 
readily follows the satisfiability of the formula (A a finite); (a a B a O sfin a). 

(c) =>■ (6): If the formula (A a finite); (a a B a O sfin a) is satisfiable then 
Lemma mi ensures that the two formulas A a finite a fin a and a a B a O sfin a 
are also satisfiable. Lemma |23 then yields that the formula (a a B) u has a 
periodic model. Suppose the interval a satisfies A a finite a fin a and the 
interval a' is a periodic model of (a a B)^. Lemma I5U1 permits us to assume 
that a and a' are ^-intervals. We can fuse a together with a' to obtain an 
ultimately periodic model for (A a finite); (a a B) u . 

(b) => (a): Clearly if some ultimately periodic interval satisfies (A a finite) ; (a a 
B) u , then this formula is satisfiable. □ 

Lemma 35 For any PITLy formulas A and B, the following are equivalent: 

(a) The formula (A a finite); (B a (V <— V)) u is satisfiable. 

(b) The formula (A a finite); (B a (V <— V)) u has an ultimately periodic 
model. 

(c) The formula (A a finite); (B a more a finite a (V <— V)) is satisfiable (in 
finite time). 

Proof This follows from Lemma |34l and simple temporal reasoning involving 
chop and the operator \J . We also make use of the following valid equivalences 
concerning V <— V, the formula B and any V-atom a: 

\= a a B a O sfin a = a a B a more a finite a (V *— V) 

\= {a a B) u = ct a (B a (V < — V)Y . n 

Theorem 36 The following are equivalent: 

(a) The infinite-time transition configuration DTa init a □ + L is satisfi- 
able. 

(b) The infinite-time transition configuration DTa init a □ + L has an 
ultimately periodic model. 

(c) The PITLy formula (($T)* a init a finite); (($T)* a L a more a finite a 
(V <— V)) is satisfiable (in finite time). 

(d) The PTLy formula @ T a init a 0(i a finite a more a (V <— V^)) is 
satisfiable (infinite time). 
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Type of transition 
configuration 



Upper bounds 



Where 
proved 



Finite-time Interval length less than \Atoms\ 

Infinite-time Initial part < \ Atomsy\, 

Period < (\L\ + 1) • \ Atoms v \ 
Final Interval length is 

Periodic Period < (\L\ + 1) • \Atoms v \ 



Theorem 1551 
Theorem 1451 

straightforward 
Lemma EH 



Table 4: Summary of upper bounds of intervals for transition configurations 



Proof We need to obtain formulas which are in a form suitable for Lemma 1551 
First of all, Theorem l26l permits us to re-express the infinite-time transition con- 
figuration □ T a init a □ + L as the formula (($T)* a init a finite); (($T)* a 

L a (V «— V)) w . Recall that Theorem II II shows the semantic equivalence of the 
formulas @ T and ($T)*. Therefore, simple interval-based temporal reasoning 
ensures that formulas in (c) and (d) are semantically equivalent. We complete 
the proof by invoking Lemma 1551 □ 



6 Small Models for Transition Configurations 

We now turn to giving upper bounds on small models for satisfiable transition 
configurations. This is later used in Sect.|5Jto construct a decision procedure for 
them. Table E] summarises the upper bounds for intervals satisfying the various 
kinds of transition configurations and where the results are proved. 

It will be necessary to employ the fact (e.g., in Theorem 1381 and Lemma E2")l 
that the formula a a ($T)* a sfin (3 is satisfiable iff a simple variant of it is 
satisfiable in an interval of bounded interval length. The following lemma deals 
with this: 

Lemma 37 For any V -atoms a and (3, the formula a a ($T)* a sfin (3 is 
satisfiable iff the formula a a ($T) < l Atoms ^l a sfin (3 is satisfiable. Hence, the 
formula a a ($T)* a sfin f3 is satisfiable iff it is satisfiable in an interval having 
interval length less than \Atomsy\- 

Proof Any interval satisfying a a can be readily seen 

to also satisfy a a ($T)* a sfin j3. Let us now establish the converse by doing 
a proof by contradiction. Suppose a a ($T)* a sfin (3 is satisfiable but a a 
($ T}<\Atoms v \ A s ji n p j s n0 ^ L e t, a be any interval which has the smallest 
length of those which satisfy a a ($T)* a sfin (3. Lemma I5H1 permits us to 
assume that a is a l/~-interval. Now er's length is greater than or equal to 
\Atomsy\ and therefore contains at least \Atomsv \ + 1 states. Consequently, 
some V-state occurs at least twice in a. Let the U-atom 7 denote this state. It 
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follows that a satisfies the following PITLy formula: 

a a (($T)*;7?;($T) + ; 7 ?;($7y) a sfin (3 . 

Therefore a contains two proper subintervals a' and a" which respectively satisfy 
the PITLy formulas a a ($T)* a sfin 7 and 7 a ($T)* a sfin /3. In addition, 
the last state of a' is the same as the first one of a" so a 1 and a" can be 
fused together. The fusion a 1 o a" has length strictly less than that of a and 
furthermore, like a, satisfies the formula a a ($T)* a sfin (3. But this violates 
the assumption that a was amongst the shortest such intervals and yields a 
contradiction. □ 

Theorem 38 If a finite-time transition configuration □ T a init a finite is 
satisfiable, then it is satisfied by some finite interval of length less than \Atomsy\- 

Proof Theorem 1 1 71 ensures that the finite-time transition configuration DTa 
init a finite is semantically equivalent to the formula (($ T)* a init a finite); (T a 
empty). This is satisfiable iff for some 1^-atom a, the formula (($T)* a init a 
finite); (a a T a empty) is satisfiable. Now Lemma 1311 ensures that this it- 
self is satisfiable iff the formulas ($T)* a init a sfin a and a a T a empty 
are both satisfiable. By Lemma 1571 the first of these is satisfiable iff the for- 
mula (%T)< Atomsv \ a init a sfin a is satisfiable. Lemma 1301 permits us to 
assume without loss of generality that the intervals satisfying the formulas 

a a T a empty are ^-intervals. We then 
fuse the intervals together to obtain one of interval length less than \Atomsy\ 
which satisfies (($T)* a init a finite); (T a empty) and hence also satisfies the 
semantically equivalent finite-time transition configuration. □ 

The next definition is required for analysing infinite-time configurations and 
makes use of the earlier Definitions0][|)]concernmg conjunctions and Dcfinition[8] 
concerning conditional livencss formulas 

Definition 39 (Enabled Liveness Formula) An enabled livencss formula En 
is a conjunction of \En\ formulas in which for each k : 1 < k < \En\, the sub for- 
mula En[k] is of the form ®>w, for some state formula w. The state formulas 
&En[i], ^En[\En\] denote the \En\ liveness tests in En so that En[k] and 
^^Bn[fc] refer to the same formula. 

For any V -atom a and conditional liveness formula L, we will also define 
En^ a to be the enabled liveness formula containing the L's liveness tests which 
are enabled by a (recall Definitional. Let S be the set of indices of L's impli- 
cations which are enabled by a. Then EnL,a is the conjunction f\j G s ®9l\j]- 

For example, suppose V is the set {p, q}, a is the y-atom ->p a q and L is the 
conditional livencss formula ((p v ->q) D ->p) a (q D < &(p = ~>q)) a (true Z> 
^(p D q)) mentioned earlier as formula (Q. Then En^ ia is the conjunction 
0(p = -iq) a 0(p D q). 

Lemma 40 For any V -atom a and conditional liveness formula L in PTLy, 
the conjunctions a a L and a a En^^ are semantically equivalent 
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Not surprisingly, the hardest part of the proof of existence of small models for 
infinite-time transition configurations involves finding small models for periodic 
transition configurations. Recall that Lemma relates the satisfiability of the 
periodic transition configuration □ T a a a L a □ + (a a L) to that of the 
PITLy formula ($T)* a a a L a O sfin a. We will use the equivalence of a a L 
and a a EriL,a to assist in the analysis of bounded models of ($T)* a a a L a 
O sfin a. These can then be used to obtain a bounded periodic model for the 
original periodic transition configuration. 

Lemma 41 For any V -atom a and conditional liveness formula L in PTLy, 
the following equivalence is valid: 

|= ($ T)* a a a L a O sfin a = ($T)* a a a En^^ a a O sfin a . 

Proof This readily follows from the earlier LcmmaEfUlconcerning the semantic 
equivalence of the formulas a a L and a a EriL,a- □ 

The next Lemma 1421 shortens the nonempty, finite model expressed by the 
formula ($T)* a a a En a O sfin a to one having a bounded length by adapting 
the technique presented earlier in Lemma 1371 concerning a bounded model for 
the formula ($T)* a a a sfin (3. 

Lemma 42 For any V -atom a and enabled liveness formula En in PTLy, if 
the formula ($T)* a a a En a O sfin a is satisfiable, then it is satisfied by a 
interval having interval length at most (\En\ + 1) |^4iomsy|. 

Proof If the formula ($T)* a a a En a O sfin a is satisfiable, then by 
Lemma 1501 there exists some satisfying V-interval. We can fuse \En\ + 1 copies 
of this interval together to obtain a V-interval a which satisfies the formula 
(($ T)* a a a En a finite} ' Sn ' +1 A q s fi n a . It is not hard to check than a itself 
satisfies the original formula ($ T)* a a a En a O sfin a since each liveness test 
in En is satisfied somewhere in a prior to the last state. Furthermore, there ex- 
ist a sequence of j-En| V-atoms 71, • ■ • ,7|E n | such that for each j : 1 < j < \En\, 
the state formula 7j a 0En\j] IS satisfied by some state prior to the last one and 
the V-interval a satisfies the next formula: 

a a (($T)*; 7l ?;...;($T)*; 7 | B „|?;($T)+) a O sfin a . 

If a gap between two of the | En \ selected states satisfying their respective liveness 
tests has interval length of at least |^4tomsy|, then within the gap, some state 
occurs twice. Such a gap can then be shortened in the manner of Lemma 1371 
By means of this we obtain from the V-interval a another V-interval having 
bounded length and satisfying the formula below: 

a a (($ T)< Atomsv ^; 7i?; . . . ; ($T)< Atornsv ^ ; 7 | B „|?; ($T)^l i4tomav l) 
a O sfin a . 

The resulting new interval is nonempty and has interval length not exceeding 
(\En\ + 1) |iltomsy|. Moreover it still satisfies ($ T)* a a a En a O sfin a. □ 
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Lemma 43 If the formula ($T)* a a a L a O sfin a is satisfiable, then it is 
satisfiable on a finite, nonempty interval with interval length at most (\L\ + 
1) \Atoms v \. 

Proof From Lemma |4*""1 we have that if the formula ($T)* a a a En^ M a 
O sfin a is satisfiable, then it is satisfiable on a finite, nonempty interval having 
interval length at most (\EnL^ a \ + 1) \Atomsy\- Lemma |4T"I ensures that the 
conjunctions a a L and a a En^ ia are semantically equivalent. In addition, 
we have \Enj,^ a \ < \L\. Therefore, if the formula ($T)* a a a L a O sfin a 
is satisfiable, then it is satisfiable on a finite, nonempty interval with interval 
length at most (|L| + I) \Atomsy\. □ 

Lemma 44 // the periodic transition configuration OT a a a L a O + (a a L) 
is satisfiable, then it is satisfied by a periodic interval with period of interval 
length at most (\L\ + 1) |y4£cwsy|- 

Proof Lemma 15*31 ensures that if the periodic transition configuration is satis- 
fiable, then the formula ($T)* a a a L a O sfin a is satisfiable. By Lemma l"""51 
if this is satisfiable, then it has a satisfying interval having interval length at 
most (|L| + 1) l^tomsyl. LemmalBlTlpcrmits us to assume without loss of gener- 
ality that the interval is a TZ-interval. We can then fuse u> copies of it together 
to obtain a periodic interval which has a period with interval length at most 
(|L| + 1) \Atoms v \ and also satisfies the formula (($T)* a a a L)"\ Theorem [*"4l 
establishes that this formula is equivalent to the original periodic transition 
configuration. □ 

Theorem 45 // the infinite-time transition configuration □ T a init a □ 0+ L 
is satisfiable, then it is satisfied by an ultimately periodic interval consisting of 
an initial segment having interval length less than \ Atomsv\ fused with a periodic 
interval having a period with interval length of at most (\L\ + 1) |ylio77isy|. 

Proof If some interval satisfies the formula □ T a init a □ + L, then LemmalTSl 
ensures that the interval also satisfies the next semantically equivalent formula: 

(($T)* Ainit Afinite)-\l aeAtomsv (pT AaALAUO+(aAL)) . (10) 

Lemma 1311 and simple temporal reasoning establish that for some l^-atom a 
the two formulas ($T)* a init a sfin a and DT a a a L a nO + (a a L) 
arc satisfiable. By Lemma 13*71 the first formula is satisfiable in some interval 
a having interval length less than \ Atomsy\. Lemma 1441 yields some periodic 
interval a 1 which satisfies the second formula and possesses a period with interval 
length of at most {\L\ + 1) \Atomsy\- Lemma |30l permits us to assume that a 
and a' are V- intervals. Therefore the last state of a is the same as the first one 
of cr' since both states satisfy a. The fusion a o a' is itself ultimately periodic 
and satisfies the formula (|10fl . Hence it also satisfies the semantically equivalent 
original infinite-time transition configuration □ T a init a □ + L as well. In 
addition, the interval a o a' has an initial segment having interval length less 
than l^ioTTisyl fused with a periodic interval with period of interval length at 
most (|L| + 1) \Atomsy\- □ 
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7 Decomposition of Transition Configurations 



We now prove the two Theorems and which respectively relate the sat- 
isfiability of finite-time and infinite-time transition configurations with simple 
interval-oriented tests involving finite time. These theorems are later used in 
Sect. [8] as part of the justification of the our PTL decision procedure and in 
Sect. ^1 as part of the completeness proof of an axiom system for PTL. 

Theorem 46 (Decomposing Finite-Time Transition Configurations) The 

following are equivalent: 

(a) The finite-time configuration DTa init a finite is satisfiable. 

(b) For some V -atoms a and (3, the three formulas below are satisfiable: 

a a init ($ T)* a a a sfin (3 T a (3 a empty . 

Proof Theorem El ensures that the finite-time configuration is semantically 
equivalent to the next PITLy formula: 

(($ T)* a init a finite); (T a empty) . 

Now simple interval-based reasoning guarantees that this is satisfiable iff for 
some V-atoms a and /3, the next formula is satisfiable: 

(($T)* a a a init a finite); (T a [3 a empty) . 

Lemma l3*D ensures that this is itself satisfiable iff the next two formulas are: 

($T)* a ft a init a sfin [3 T a (3 a empty . 

Finally, simple temporal reasoning ensures that the first of these is itself is 
satisfiable iff the following two formulas are satisfiable: 

a a init ($T)* a a a sfin (3 . □ 

We now turn to decomposing an infinite-time transition configuration: 

Lemma 47 The infinite-time transition configuration □ T a init a □ + L is 
satisfiable iff for some V -atoms a and (3, the following formulas are satisfiable: 

($T)* a a a init a sfin (3 ($ T)* a (3 a En^^ a O sfin (3 . (11) 

Proof Theorem 1361 ensures that the infinite-time configuration is satisfiable iff 
the next PITLy formula is satisfiable: 

(($ T)* a init a finite) ; (($ T)* a L a more a finite a (V <— V)) . 
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Simple interval-based temporal reasoning ensures that this itself is satisfiable iff 
for some T/-atoms a and (3, next formula is satisfiable: 

(($ T)* a a a init a finite) ; (($ T)* a (3 a L a O sfin 0\ . (12) 

Now Lemma 0U1 guarantees the semantic equivalence of the conjunctions (3 a L 
and j3 a En^.p. We therefore can replace L by En^.p in formula (|12|) . Fi- 
nally, Lemma yields that the resulting formula is itself satisfiable iff the two 
formulas in i|ll|) are satisfiable. □ 

The next lemma concerning enabled liveness formulas is shortly used in 
Theorem 021 to analyse the satisfiability of infinite-time configurations: 

Lemma 48 For any V -atom a and enabled liveness formula En, the following 
are equivalent: 

(a) The formula ($T)* a a a En a O sfin a is satisfiable. 

(b) For some \En\ V-atoms 71, . . J\En\ (not necessarily distinct), the fol- 
lowing are all satisfiable: 

($T)* a a a O sfin a 

for each 7j : ($T)* a a a sfin 74 7,; a 0e Ul a [i] ($T)* a 7^ a sfin a . 

Proof Induction on the length of En and simple interval-based reasoning can 
be used to demonstrate that the formula ($ T)* a a a En a O sfin a is satisfiable 
iff the formula ($T)* a a a O sfin a is satisfiable and also for some T^-atoms 71, 
■ ■ ■ j l\En\, for each 7^ the following formula is satisfiable: 

($T)* a a a 0(7j a 9 E n[i]) a sfin a . (13) 

This guarantees that for each liveness test 0En[i] m En, the V-&tom a can reach 
some l/~-atom 7, which satisfies 0En[i\ an d this l/~-atom 7, itself can reach back 
to a. We can re-express <|13H as the semantically equivalent formula below: 

(($T)* a a a finite); (($T)* a 7^ a 9e,i[{\ a sfin a) . 

Lemma ITTT1 ensures that this is satisfiable iff the next two formulas are: 
($T)* a a a sfin 7j ($T)* a 7,; a En ^ a sfin a . 

The second one is satisfiable iff the two formulas shown below are satisfiable: 
7« A °En[{\ ($T)* a 7^ a sfin a . Q 

Theorem 49 (Decomposing Infinite-Time Transition Configurations) 

The following are equivalent: 

(a) The infinite-time configuration □ T a init a □ C> + L is satisfiable. 
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(b) For some V -atoms a, (3 and 71, J\Bnt a| ( n °t necessarily distinct), 
the following are all satisfiable: 

a a init ($ T)* a a a s/m /3 ($ T)* a /3 a O sfin (3 

for each 7* : ($T)* a (3 a s/m 7j 7* a 0En it/3 [i] ($T)* a^a s/in /3 . 

Proof Lemma 1371 establishes that the infinite-time configuration UT a imt a 
□ 0+ L is satisfiable iff there exist some U-atoms a and (3 for which the next 
two formulas are satisfiable: 

($T)* a a a init a sfin /3 ($T)* a f3 a En LJj a O s/?n /3 . (14) 

Now simple temporal reasoning ensures that the first of these is itself is satisfi- 
able iff the following two formulas are satisfiable: 

a a init ($ T)* a a a sfin [3 . 

Furthermore, LemmaESl guarantees that the second formula in 114|) is satisfiable 
iff the formula ($T)* a (3 a O sfin (3 is satisfiable and furthermore for some V- 
atoms 71, . . . , J\En L \ ( n °t necessarily distinct), the following are all satisfiable 
for each 7*: 

($T)* a (3 a sfin 7j 7^ a E n Lil3 [{] (S T)* a ji a sfin (3 . Q 



8 A Decision Procedure 

We now describe a decision procedure for finite-time and infinite-time transition 
configurations based on Binary Decision Diagrams (BDDs) [8,9] which provide 
an efficient basis for performing many computational tasks involving reductions 
to reasoning about formulas in prepositional logic. We had little difficultly im- 
plementing the decision procedure using the popular Colorado University De- 
cision Diagram Package (CUDD) [19] developed by Somenzi. Our prototype 
tool consists of a front-end coded in the CLISP [15] implementation of Com- 
mon Lisp [1] as well as a back-end coded in Perl [59]. The back-end employs 
a Perl-oriented interface to CUDD written by Somenzi and called PerlDD [60]. 
The front-end accepts arbitrary PTL formulas and converts them to transition 
configurations using methods later described in Sections II II and IT51 The transi- 
tion configurations are then passed to the back-end which analyses them using 
BDDs. In this section we describe the basis for performing this analysis. 

The remainder of this section assumes that the reader already has some 
familiarity with BDDs. 

Our algorithm for finite-time transition configurations adapts methods for 
symbolic state space traversal described by Coudert, Berthet and Madre [16-18] 
(see also Kropf [14,41]) for use with BDD-based representations of formulas in 
propositional logic. It simultaneously greatly benefits from closely related meth- 
ods first employed by McMillan in symbolic model checking [10,14,46] which also 
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include the automatic generation of counterexamples for unsatisfiablc formulas 
and, similarly, witnesses for satisfiable ones. Recall that Theorem shows 
that the finite-time transition configuration □ T a init a finite is satisfiable iff 
for some 1^-atoms a and (3, the next three formulas are satisfiable: 

a a init ($ T)* a a a sfin (3 T a (3 a empty . 

We can readily search for suitable V -atoms using BDDs. Three BDDs Ti, T2 
and r 3 are initially constructed. In what follows, please recall the notion =1 X 
introduced in Definition ^ to denote that the formula X is satisfiable. We first 
describe the roles of the BDDs T\, Y2 and r 3 before actually constructing them: 

• The BDD Fi represents the state formula init and hence the set of V- 
atoms satisfying init (i.e., the set {a £ Atomsy: a \= init}). This is the 
same as the set {a £ Atomsy ■ H a a init}. 

• The second BDD T2 captures all pairs of V-dXoms corresponding to unit 
(i.e., two-state) intervals satisfying T. In other words, it corresponds 
to the set {{a, (3) £ Atoms v : a(3 |= T}. This is the same as the set 
{{a, 13) £ Atomsy: H T a a a skip a sfin /?}. 

• The third BDD r 3 captures the behaviour of T in an empty interval. 
Therefore r 3 represents the set of all y-atoms satisfying the formula T a 
empty (i.e., the set {a £ Atomsy. a |= T}). This is the same as the set 
{a £ Atomsy : H T a a a empty} 

In the course of manipulating the BDDs we make use of two finite sets of 
propositional variables. They include the original ones (e.g., p, n, . . . , r^) as 
well as primed versions (e.g., p' , r[, . . . , r' A ). For convenience, we often do not 
distinguish between a BDD and the propositional logic formula it represents. 

Let V and V' respectively denote the two sets of variables. We now construct 
the BDDs Ti, T3 and T2 as follows: 

• Let Fi be the formula init. 

• Obtain F2 from the formula T by replacing all variables in the scope of any 
O constructs by corresponding ones in V' and then deleting all O operators 
(but not the associated operands) to obtain a formula in conventional 
propositional logic. We refer to this process of constructing F2 from T by 
the term flattening. 

• Obtain T3 from the formula T by replacing each O construct by false. 

The BDDs Fi and both only can contain variables in V whereas T2 can 
contain variables in V and V'. 

Suppose T and init arc the following formulas mentioned earlier in 

T: {t\ = [jp v On)) a (j2 = (~>rx v 0^2)) init: -if2 a ->r4 . 

a (r 3 = (-.p v Or 3 )) a (r 4 = (->r 3 v Or 4 )) 
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Here are the associated Ti, r 2 and T3 for these T and init: 
Ti : -r 2 a ^r 4 

T2 : (n = (p v ri)) a (r 2 = (-in v r' 2 )) 

a (r 3 = (~>p v 7-3)) a (r 4 ee (-ir 3 v r 4 )) 

T3 : (n = (p v /atee)) a (r 2 ee (-.n v /ofee)) 

a (r 3 ee (-ip v false)) a (r 4 ee (-^3 v false)) . 

The connection between the BDDs for r 4 and T3 and the previously men- 
tioned sets of V-atoms they are meant to capture is straightforward. In order 
to justify the less intuitive relationship between the construction for r 2 and the 
earlier associated set of pairs of V^-atoms, we shortly present LemmalBTl relating 
r 2 with T. However, the following lemma concerning NL 1 formulas is first given 
since it is used in the proof of Lemma IBTl 

Lemma 50 The following are equivalent for any NL 1 formula T: 

(a) The formula T is satisfiable in some nonempty interval. 

(b) The formula skip a T is satisfiable. 

Proof (a) => (b): Suppose some nonempty interval a satisfies the formula T. 
Now er contains at least two states. Let a' denote the subintcrval consisting 
the first two states in a. Now a' satisfies the formula skip. Furthermore, the 
formula T is in NL 1 . Lemma ^] consequently ensures that the interval a', like 
cr, satisfies the formula T because both two intervals share the same first two 
states. Therefore a 1 satisfies the formula skip a T. 

(b) (a): If some interval a satisfies the PTL formula skip a T, then a is 
clearly nonempty and also satisfies T. □ 

Lemma 51 For any V -atoms a and [3, the following are equivalent: 

(a) The formula T a a a skip a sfin (3 is satisfiable (i.e., af3 \=T). 

(b) The propositional logic formula r 2 a a a 0y is satisfiable. 

Proof (a) =>- (b): Suppose the formula T a a a skip a sfin (3 is satisfiable. 
Then the flattening of T into T 2 readily yields that the formula r 2 a a a 0y is 
satisfiable. 

(b) => (a): If the propositional logic formula r 2 a a a 0y is satisfiable, 
then the flattening of O constructs in T 2 readily yields that the NL 1 formula 
T a a a O j3 is satisfiable. Clearly any interval satisfying it has at least two 
states. Hence by the previous Lemma 023 the formula skip a T a a a O (3 
is satisfiable. Simple temporal reasoning then ensures that the semantically 
equivalent formula T a a a skip a sfin [3 is also satisfiable. □ 

We use r 2 together with the first BDD Ti to iteratively calculate a sequence 
of BDDs Aq, . . . , Afe, ... so that for any k, describes all V-atoms which can 
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be reached from one which satisfies init in exactly k steps. In other words, A& 
represents the following set: 

{(3 G Atomsy : for some a € Atomsy, H ($ T) k a a a init a sfin /?} . 

We set Ao to be IV Therefore, every variable in Ao is in V. Each Afe + i is 
calculated to be semantically equivalent to the next quantified propositional 
logic formula in which renaming ensures that all free variables are in V: 

(3V.(A fc Ar a ))^ . (15) 

Due to the final renaming, the sole variables left in the BDD A^+i itself are 
elements of V. The only BDD operations required to calculate Afc+i from l|15|l 
are logical-and, existential quantification (which actually yields a BDD repre- 
senting a semantically equivalent quantifier-free formula) and renaming which 
are all standard ones. 

Remark 52 Within the CUDD system, the entire calculation for obtaining 
3V. (Afe a T2) can even be done by a single CUDD operation tailored to handle 
this specific kind of common BDD manipulation. Furthermore, the renaming of 
variables in V' to those in V is actually achieved by taking the BDD obtained 
for 3V. (Afe a I^) and then performing a single CUDD operation which yields 
another BDD in which the variables in V are swapped with the corresponding 
ones in V . 

For any given A& which has been calculated, we next determine the logical- 
and of 1^ and A^ and then proceed as follows: 

1. If the logical-and is not false, then there is some F-atom j3 satisfying 
T a empty which can be reached in k steps from a y-atom a satisfying 
init. Therefore the next three formulas are all satisfiable: 

a a init ($ T) k a a a sfin (3 T a [3 a empty . 

Now the second formula ensures the satisfiability of the formula ($T)* a 
a a sfin p. Therefore Theorcml46lcan be invoked to obtain the satisfiabil- 
ity of the original finite-time transition configuration DT a init a finite. 
We therefore do not need to calculate any further A/-'s. 

2. Otherwise, the logical-and is false so we must continue to iterate. 

During the iteration process, we maintain a BDD representing the set of all 
V -atoms so far reachable from one satisfying init. This BDD corresponds to 
the formula \J 0<i<k Aj which equals the next set: 

{(3 € Atomsy ■ for some a € Atomsy, = l ($ T)- k a a a init a sfin /?} . 
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If no such (3 exists which also satisfies T a empty, the BDD eventually converges 
to a value corresponding to the set of all y-atoms reachable from y-atoms which 
satisfy init. The following set denotes this: 

{/3 G Atomsy ■ for some a £ Atomsy, = l ($T)* a a a init a sfin /?} . 

We then terminate the algorithm with a report that the original transition 
configuration □ T a init a finite is unsatisfiable. Even though Theorem 1381 
bounds the number of iterations, in some cases convergence takes too long. 
This necessitates a preset iteration limit or a facility for manual intervention in 
order to force premature termination of the loop. 

If for some n, the algorithm succeeds after n iterations and determines that 
the transition configuration is satisfiable, then a sample l/'-interval having n + 1 
states and which satisfies the formula can be calculated. This involves standard 
BDD methods for constructing such examples and is done by working backward 
through the BDDs A„, A„_i, . . . A to find a suitable sequence of n + 1 V^-atoms 
to serve as a ^-interval satisfying the transition configuration. The algorithm 
can be also readily adapted to only determine values for a subset of the variables 
in V. 

8.1 Dealing with Infinite Time 

For testing an infinite-time transition configuration □ T a init a □ + L, we can 
make use of Theorem which guarantees that this formula is satisfiable iff the 
next PTLy formula is satisfiable: 

H T a init aO(La finite a more a (V <— V)) . 

The previously described satisfiability algorithm for finite-time can therefore be 
utilised. However, we must first transform this second formula to some suitable 
finite-time transition configuration using techniques later described in Sect. IT21 
for reducing arbitrary PTL formulas to finite-time transition configurations. 
Alternatively, more sophisticated algorithms using Theorcm l49l can be employed 
to directly analyse the infinite-time transition configuration using BDD-based 
techniques. Space does not permit more details here. 

9 Axiom System for NL 

In preparation for the proof of axiomatic completeness for PTL, we now consider 
an axiom system for NL. The axiomatic completeness of NL later plays a major 
role in the completeness proof for PTL. 

Within this section, the variables X , X' , X and Xq denote NL formulas. 

Tabic [S] contains a complete axiom system for NL adapted from the modal 
logic K+D c . Here ® ("weak next"), previously defined in Table^to be a derived 
operator, is instead regarded as a primitive construct. We can consider OX to 
be an abbreviation for -<®-iX. Hughes and Cresswell [36, Problem 6.8 on p. 
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Axioms: 



Nl (K). h ®(A D A') D ®X D ®A' 

N2 (D ). hM D ®X 

Inference rules: 

NR1. If X is a tautology, then h X 

NR2 (MP). If h X D X' and h X, then h X' 
NR3 (RN). IfhX, thenh©X 

Table 5: Complete axiom system for NL (Modal system K+D c ) 

Axioms: 

Nl' (NO). h^O false 

N2' (CO). h 0(I v I') D OX v OA' 

N3' (D c ). hOI D ®X 

Inference rules: 

NR1'. If A is a tautology then h A 

NR2' (MP). If h A D A' and h A, then h A' 

NR3' (RMO). If h A D A', then h OA D OA' 

Table 6: Alternative complete axiom system for NL based on O 



123 with solution on p. 379] briefly discuss how to show deductive completeness 
of the logic K+D c . 

Table El contains a complete axiom system for NL in which O, rather than 
®, is the primitive operator. Consequently, ® is derived in the manner already 
shown in Table The axiom system is essentially one of several M-based 
axiomatisations of normal systems of modal logic covered by Chellas [12] with 
the addition of the axiom D c . This second axiom system appears preferable 
for our purposes since our definition of PTL also takes O to be primitive. We 
therefore use this axiom system here although the methods employed can be 
easily adapted to the first NL axiom system. 

Definition 53 (Theoremhood and Consistency for NL) If some NL for- 
mula X is deducible from the axiom system, we call it an NL theorem and 
denote this theoremhood as Knl A. We define X to be NL-consistent if ~>X is 
not an NL theorem, i.e., 1/nl ~<X . 

Below are some representative lemmas about satisfiability and consistency 
of NL formulas. They are subsequently used in the completeness proof for the 
NL axiom system in Table 

Lemma 54 For any state formula w and NL formula X , if w is satisfiable, 
then the NL conjunction w a -i O X is satisfied by some one-state interval. 
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Lemma 55 For any state formula w and NL formula X , if both w and X are 
satisfiable, then so is the formula w a O X . 

In such as case, if X itself is satisfied by an interval having at most n states, 
then w a O X is satisfied by an interval having at most n + 1 states, 

Lemma 56 For any NL formula X, if O X is NL- consistent, then so X. 

For any NL formulas X and X\ the following are deducible as NL theorems 
and shortly used to simplify formulas: 



Axiomatic completeness is usually defined to mean that every valid formula 
is deducible as a theorem. However, we will make use of the following variant 
way of expressing completeness: 

Lemma 57 (Alternative Notion of Completeness) A logic's axiom system 
is complete iff each consistent formula is satisfiable. 

Theorem 58 (Completeness of Alternative NL Axiom System) The NL 

axiom system in Table\^is complete. 

Proof The proof involves the kind of consistency-based reasoning found later 
in the paper. Using Lemma 1571 we show that any NL formula X$ which is 
NL-consistent (i.e., I/nl _1 -X'o) nas a satisfying finite interval. Let n be the next- 
height of Xo, i.e., the maximum nesting of Os in Xq. Wc do induction on n to 
show that Xq is satisfied by some interval with at most n + 1 states. □ 

10 Axiomatic Completeness for Transition Con- 
figurations 

We now turn to describing a PTL axiom system with which axiomatic com- 
pleteness can be shown for transition configurations. 

The PTL axiom system used here is shown in Table [7| and is adapted from 
another similar PTL axiom system DX proposed by Pnucli [61]. Gabbay et 
al. [27] showed that DX is complete. Pnucli 's original system uses strong versions 
of O and □ (which we denote as + and respectively) which do not examine 
the current state. In addition, Pnueli's system only deals with infinite time. 
However, Gabbay et al. [27] also include a variant system called D°X based 
on the conventional O and □ operators which examine the current state. The 
version presented here does this as well and furthermore permits both finite and 
infinite time. 



h NL Q(XaX') ee OX a OX' 

h NL O(lAnl') E OX A nOl' 
h NL nO(Ivl') E nOlAnOl' . 



(16) 
(17) 
(18) 
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Axioms: 

Tl. h a(x dY) d dIddy 

T2. h OX D ®X 

T3. \-0(XdY) D OXdOY 

T4. h nx d x a®ux 

T5. h a(x D ®X) D X D ax 



Inference rules: 

Rl. If X is a tautology, then h X 
R2. IfhlDF and h X, then h Y 
R3. If h X, then h □ X 



Table 7: Modified version of Pnueli's complete PTL axiom system DX 



Definition 59 (Theoremhood and Consistency for PTL) If the PTL for- 
mula X is deducible from the axiom system, we call it a PTL theorem and denote 
this theoremhood as\- X . We define X to be consistent if ^X is not a theorem, 
i.e., \f^X. 

In the course of proving completeness for PTL we make use of a definition 
of completeness for sets of formulas such as sets of transitions configurations: 

Definition 60 (Completeness for a Set of Formulas) An axiom system is 
said to be complete for a set of formulas {X\, . . . , X n } if the consistency of any 
Xi implies that Xi is also satisfiable. 

Now the Alternative Notion of Completeness (Lemma I57f) can also be readily 
adapted to sets of formulas. Indeed, our goal in the rest of this section is to 
show that any consistent transition configuration is also satisfiable. 

The next lemma permits us to utilise within PTL the axiomatic completeness 
of the NL proof system: 

Theorem 61 (Completeness for NL in PTL) The PTL axiom system is 
complete for the set of NL formulas. 

Proof Theorem 1581 establishes the completeness of the alternative NL axiom 
system in Table HO We then show that any NL theorem is also a PTL theorem. 
This can be done by demonstrating that all axioms and inferences rules in the 
NL axiom system are derivable from PTL ones. □ 

10.1 Some Basic Lemmas for Completeness 

In this subsection, we deal with another part of the completeness proof. We 
utilise ways to go from certain specific kinds of consistent formulas involving 
reachability to intervals in order to later construct models for consistent transi- 
tion configurations in t |10.2l Table [S] summarises the basic lemmas proved here. 
Within the table, we use the notation H X already introduced in Definition^to 
denote that the formula X is satisfiable and H X to denote that X is consistent. 



Lemma 62 For any V -atoms a and (3, if the formula HTackaO/? is consis- 
tent, then the formula T a a a skip a sfin (3 is satisfiable. 
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Lemma 



Summary 



I(j2l KHHTaqaO/?, then -I T a a a skip a sfin (3 
El If H BT a a a 0/3, then H ($T)* a a a s/m /? 
ESI If H S T a a a 0+ /?, then H ($ T)* a a a O s/m /3 

Table 8: Summary of some basic lemmas for consistency and satisfiability 



Proof From the consistency of the formula H T a a a O /3 and simple tem- 
poral reasoning, we obtain the consistency of the NLy formula T a a a O /3. 
Theorem 1611 concerning axiomatic completeness for NL formulas in the PTL 
axiom system then ensures that this is satisfiable. Clearly any interval satis- 
fying it has at least two states. Hence by the earlier Lemma EDI the formula 
skip a T a a a O/? is also satisfiable. Consequently, simple temporal reason- 
ing yields that the semantically equivalent formula T a a a skip a sfin (3 is 
satisfiable as well. □ 

For any V-a.tom. a, within the next two lemmas we let S a denote the subset 
of Atomsv containing exactly every l/-atom 7 for which the following formula, 
which concerns reachability from a, is satisfiable: 

($ T)* a a a sfin 7 . 
Here is a more formal definition of S a : 

S a = {7 6 Atomsy ■ H ($ T)* a a a sfin 7 } . 



Lemma 63 For any V -atom a, the following formula is a PTL theorem: 

\- BTao 3 □ \/ 7 . (19) 

Proof The following formulas are valid and in NL 1 . Hence, they are theorems 
by the completeness of the PTL axiom system for NL 1 formulas fTheorem lGlf) : 

h a D y 7 b more a T a \J j D O \J j . 

IESq 7£S a 7£S a 

From these and simple temporal reasoning we can readily deduce our goal <|19f) .n 

Lemma 64 For any V-atoms a and (3, if the formula BTaoaO^ is consis- 
tent, then the formula ($T)* a a a sfin [3 is satisfiable. 

Proof Suppose on the contrary that ($T)* a a a sfin (3 is unsatisfiablc. Now 
a is in the set S a , whereas (3 is not. Hence, the following formula concerning (3 
not being in S a is valid and thus a prepositional tautology: 

H V 1 D ^ ■ ( 2 °) 

7<£S a 
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Furthermore, the previous Lemma l6*51 ensures that the next implication is a PTL 
theorem: 

h STao D □ \Zt. (21) 
-yes a 

The two implications (|2U|) and (|21|) together with some simple temporal reason- 
ing let us deduce that a can never reach (3: 

h ST a a D □ —>j3 . 

From this and the general equivalence h □ = -> O /3 we can deduce the 
following PTL theorem: 

Therefore, the formula BT a a a Oj3 is inconsistent. This contradicts the 
lemma's assumption. □ 

Lemma 65 For any V -atoms a and (3, if the formula H T a a a 0+ /3 is 
consistent, then the formula ($T)* a a a O sfin [3 is satisfiable. 

Proof From the consistency of the formula H T a a a + /3, we readily deduce 
for some y-atom 7 the consistency of the two PTLy formulas below: 

BTaaaO] 0T a 7 a 0/3 . 

The consistency of the first formula T a a a O 7 and Lemma EH1 yield that 
the formula ($T)* a a a s^n 7 is satisfiable. Lemma 1621 and the second for- 
mula T a 7 a O /3 then guarantee that the formula T a 7 a sfcip a s/m /3 is 
satisfiable. Lemma I^Tl then yields that the next formula is satisfiable: 

(($T)* a a a finite}] (T a 7 a skip a s/in (3) . 

From this and some further simple interval-based reasoning we can establish our 
goal, namely, that the formula ($ T)* a a a O sfin (3 is satisfiable. □ 



10.2 Completeness for Transition Configurations 

We now apply the material presented in the previous i ilO.ll to ultimately estab- 
lish completeness for finite- and infinite-time transition configurations. Here is 
a summary of the completeness theorems for them: 

Type of transition Where proved 
Finite-time Theorem 1001 

Infinite-time Theorem 1671 

The remaining two kinds of transition configurations are subordinate to these. 
For the sake of brevity, we do not consider them here. 
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Theorem 66 Completeness holds for any finite-time transition configuration 

□ T a init a finite. 

Proof From the consistency of the finite-time transition configuration □ T a 
init a finite and simple temporal reasoning we can demonstrate that for some 
V- atoms a and (3, the next formula is consistent: 

T a a a imi a s/m (T a 0) . 

From this and further simple temporal reasoning it is readily follows that the 
following formulas are all consistent: 

a a init BTaciaO(5 T a (3 a empty . 

The first of these is itself satisfiable since any consistent formula in PROP 
is satisfiable. The second one and Lemma [M] yields that the PITL formula 
($T)* a en a sfin (3 is satisfiable. The third formula T a (3 a empty is in NL 1 and 
hence by Thcorcm|^satisfiable. Hence the following formulas are all satisfiable: 

a a init ($T)* a a a sfin (3 Ta/Ja empty . 

This and Theorem 1461 then yield the satisfiability of the finite-time transition 
configuration □ T a init a finite. □ 

Theorem 67 Completeness holds for any infinite-time transition configuration 

□ T a init a nO+L. 

Proof From the consistency of the infinite-time transition configuration □ T a 
init a □ 0+ L and simple temporal reasoning we can demonstrate that for some 
y-atoms a and (3, the next formula is consistent: 

T a a a init a □ 0+(/3 a L) . (22) 

Lemma |4"U1 ensures that the formulas (3 a L and /3 a EnL t p are semantically 
equivalent. The proof of this only requires simple propositional reasoning not 
involving the temporal operators in L. Hence the next equivalence is readily 
deducible as a PTL theorem using substitution into a propositional tautology 
(see Definition 13 and PTL inference rule Rl in Table 0): 

h j3 a L = /3a£ti L:/3 . (23) 

From the consistency of formula (|22|l and the deducibility of formula (|23|l . we 
can show the consistency of the next formula: 

T a a a init a □ 0+(/3 a En L3 ) . 

This and simple temporal reasoning then together yield the consistency of the 
following formulas involving some additional y-atoms 71, . . . , J\En L \ ( n °t nec_ 
essarily distinct): 

a a init BTabaO^ @Ta/3aO+/3 

for each 7, : H T a (3 a O 7* 7,; a 0En L:f3 [i] r a 7, a O /3 . 
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The consistency of the propositional formulas a a init and 7, a 0En L «[t] for each 
l^-atom 7j ensures they are satisfiable. Lemma Rv4"l is then applied to the remain- 
ing consistent formulas, except for T a f3 a + /3 which requires Lemma |65l 
The combined result is that the following formulas are all satisfiable: 

a a init ($ T)* a a a sfin (3 ($ T)* a (3 a O s/m /? 

for each 7^ ($T)* a (3 a s/in 74 7, a 0E„ i/3 [j] ($T)* a 7 l a sfin (3 . 

Hence by Theorem 1491 the original consistent infinite-time transition configura- 
tion is indeed satisfiable. □ 



11 Invariants and Related Formulas 

We will shortly introduce the concepts of invariants and invariant configurations 
which together act as a natural middle level between transition configurations 
and full PTL and involve the use of auxiliary variables. These variables provide 
a way to reduce the nesting of temporal operators within other temporal op- 
erators and thereby simplify further analysis. Satisfiability, existence of small 
models, decidability and axiomatic completeness for invariant configurations 
can be readily related to the analysis of transition configurations. Furthermore, 
it is not hard to reduce arbitrary PTL formulas to invariant configurations by 
utilising such auxiliary variables. 

The analysis of invariant configurations and arbitrary PTL formulas does 
not require any further interval-based reasoning or PITL. 

Definition 68 (Invariant) An invariant is any finite conjunction of zero or 
more equivalences in which each equivalence 's left side is a distinct propositional 
variable and each equivalence 's right side is one of the following: 

• Some PTL formula of the form O w, for some state formula w. 

• Some NL 1 formula. 

The variables occurring on the left sides of equivalences are called dependent 
variables and any other variables are called independent variables. The right 
sides are called dependent formulas and each equivalence is itself called a de- 
pendency. Hence for a given invariant /, it follows that |/| denotes the number 
of dependencies in /. Also, for any k : 1 < k < \I\, I[k] denote the fc-th depen- 
dency in /. Each dependency containing O is referred to as a ^-dependency. 
Observe that a dependent variable can be referenced in any dependent formula 
including the one associated with it. 

Below is a sample invariant referred to as I\: 

h ■ O'l = 0(p a ~^q)) a (r 2 = (ri a Or 2 )) . 

Here |ii| equals 2, the first dependency is the equivalence r\ = 0(p a ~^q) 
and the second dependency I [2] is the equivalence r 2 = (r\ a Or 2 ). 
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Note that an invariant is not necessarily satisfiable as in r\ = Also 
note that dependencies of the two forms r = w and r = O w, for some propo- 
sitional variable r and state formula w, are both subsumed by the second case 
in Definition 1681 If desired, a more restrictive definition of invariants limited to 
dependencies of the form w, Ow and Ow is possible. 

We can view an invariant I as being any conjunction having the form 
Afe-i<fe<m ( u k — 4>k) so that Uk is the fc-th dependent propositional variable 
and <f>k is the fc-th dependent formula in I. Observe that for any k : 1 < fc < |7|, 
the conjunct I[k] has the form = (f>k and I itself can be expressed as 

Ak-s<k<\i\ 

Starting with an invariant 7, wc analyse certain low-level formulas referred 
to here as invariant configurations. 

Definition 69 (Invariant Configurations) An invariant configuration is a 
formula of the form □ 7 a X where the PTL formula X is in one of three 
categories shown below: 

Type of invariant configuration Syntax of X 

Basic w 
Finite-time w a finite 

Infinite-time w a inf 

Here w is a state formula. 

For example, the conjunction □ 7i a r 2 is a basic invariant configuration which 
is true for intervals which are infinite, have r\ and r 2 always true and p and -^q 
both always eventually true. 

The next definition helps to simplify the notation used in the reduction of 
invariant configurations to transition configurations: 

Definition 70 (Ordered Invariant) An invariant is said to be ordered if all 
of its O -dependencies precede any others. 

It is not hard to rearrange an arbitrary invariant's dependencies to obtain a 
semantically equivalent ordered invariant. In the rest of this section, we will 
without loss of generality limit our attention to ordered invariants and invariant 
configurations based on them. 

We now associate with an ordered invariant I a transition formula Tj and 
a conditional liveness formula Lj . They serve to expeditiously reduce invariant 
configurations to transition configurations previously analysed in earlier sec- 
tions. Definition 1711b elow describes Tr. The subsequent Definition 1731 describes 
the form of Lj. 

Definition 71 (Transition Formula for an Ordered Invariant) For an or- 
dered invariant I , the associated transition formula Tj is an NL 1 formula which 
captures I 's transitional behaviour between pairs of adjacent states. It is obtained 
from I by replacing each O -dependency with another dependency not containing 
O and leaving the remaining O-free dependencies unchanged. More precisely, 
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each dependency in I of the form r = Ow, for some propositional variable r 
and state formula w, is replaced by the 'O-free equivalence r = (w v Or). 

Observe that the transition formula Tj is in NL 1 and is also a well-formed 
invariant. Also, for any k : 1 < k < |7|, if the dependency I[k] does not contain 
O, then it and T/'s corresponding dependency Tj[k] are identical. 
Here is the transition formula Tj t associated with I\: 

T ii : ( r i = ((P A ^l) v A ( r 2 = (n a Or 2 )) . 

Let us now introduce some simple notation needed for reasoning about live- 
ness and O-dependencies. This will be used in the definition of an ordered 
invariant's associated conditional liveness formula. 

Definition 72 (Liveness Tests of an Ordered Invariant) For any ordered 
invariant I having n O-dependencies, define n different liveness tests #r[i], • • • > 
0i[ n ] so that for each k : 1 < k < n, the k-th dependency in I is expressible as 

u k = oe I[k] . 

For instance, the sample invariant I\ has a single liveness test which denotes 
the formula p a -^q. Note that each 6i[k] is always a state formula. If an invariant 
I has n O-dependencies, then for each k : 1 < k < n, T/'s dependency Tj[k] 
identical to the equivalence u k = (9j[k] v Ou^). 

Given an ordered invariant I, we now associate a specific conditional liveness 
formula Lj with it: 

Definition 73 (Conditional Liveness Formula of an Ordered Invariant) 

The conditional liveness formula Lj of an ordered invariant I which has n O- 
dependencies is itself a conjunction of n implications. For each k : 1 < k < n, 
the k-th implication is obtained by simply replacing the outermost equivalence 
operator in I's k-th O- dependency by the implication operator and using <8> in- 
stead o/O. Therefore, for each k : 1 < k < n, the dependency I[k] has the form 
Uk = and the implication Li[k] has the form Uk D OOj^. 

The definition of Ps conditional liveness formula Lj intentionally ignores any 
NL 1 dependencies in / since Tj already adequately deals with them. As a result, 
Li can contain fewer conjuncts than I and T/ . Below is the conditional liveness 
formula Lj 1 associated with ordered invariant I\: 

L Il : (n D 0(p a -.<?)) . 

It is not hard to see that, unlike Ps transition formula, the conditional liveness 
formula associated with I is not a well-formed invariant. 

11.1 Reduction of Basic Invariant Configurations 

Starting with an ordered invariant J, let us now consider the relationship be- 
tween its basic invariant configuration and the associated finite-time and infinite- 
time invariant configurations. This permits us to focus the remaining analysis 
on the two later kinds of invariant configurations. 
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Lemma 74 A basic invariant configuration □ I a W is satisfiable iff at least 
one of its associated finite-time and infinite-time invariant configurations is 
satisfiable. 

Proof This follows from the validity of the formula finite v inf and simple 
prepositional reasoning. □ 

The finite-time and infinite-time invariant configurations for the ordered 
invariant / each have a corresponding semantically equivalent transition config- 
uration of the same kind as is now shown: 

Invariant Transition Where 

configuration configuration proved 

Finite time □ I a w a finite □ Tj a w a finite Theorem 1761 

Infinite time D/auja inf □ Tj a w a □ + Lj Theorem 1791 

Observe that the reductions from the two types of the invariant configurations to 
the corresponding transition configurations do not introduce any extra variables. 
In what follows we prove that a finite-time invariant configuration is semantically 
equivalent to its associated finite-time transition configuration and similarly a 
infinite-time invariant configuration is semantically equivalent to its associated 
infinite-time transition configuration. 

In what follows we will often abstract the behaviour of a O-dependency by 
using two propositional variables p and q and representing the dependency as 
the PTL equivalence p = Oq. This technique is used to establish the next 
lemma: 

Lemma 75 The formulas □ / and □ Tj are semantically equivalent on finite 
intervals. In other words, the following implication is valid: 

\= finite D □ I = □ 7> . 



Proof We can represent □ / as the conjunction Afc i<fc<|/| '-' an d similarly 
represent □ Tj as the conjunction Afc-i<fe<|/| ^Ti[k]. For any fc : 1 < k < \I\, 
if I[k] is in NL 1 then Tj[k] is identical to it and hence □ I[k] and □!/[£;] are 
identical. Otherwise, □ I[k] can be seen as a substitution instance of the PTL 
formula D(p = O q) containing the two propositional variables p and q. Now 
□ Tj[k] therefore corresponds to the formula D(p = (q v Op)). Simple temporal 
reasoning can then be used to show that each of these implies the other in any 
finite interval. □ 

Let us note that the validity for finite time of the relevant equivalence D(p = 
O q) = 0(p = [q v Op)) can even be readily checked by a computer implemen- 
tation of a decision procedure for PTL with finite time. 

Theorem 76 The finite-time invariant configuration for I is semantically equiv- 
alent to the associated finite-time transition configuration. 
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Proof This readily follows from Lemma 1751 and prepositional reasoning. □ 



Unfortunately, the equivalence □ I = □ Tj can fail to be valid for infinite 
time if / contains O-dcpendencies because Tj does not fully capture the liveness 
requirements of such dependencies. Lcmma lTSl latcr on corrects for this problem 
by showing that in infinite time the two formulas □ I and □ Tj a □ + Lj are 
semantically equivalent. The reason that □ I = □ Tj is not necessarily valid is 
because when we consider an individual O-dependency, the formulas □ (p = O q) 
and D(p = (q v Op)) are not semantically equivalent on infinite-time intervals 
since on such an interval, the first formula can be false and the second one true. 
An example of this occurs in any infinite interval where p is always true and q 
is always false. Therefore, if I contains O-dcpcndcncics, then □ I can be false 
on an infinite-time interval even though □ 7/ is true on the interval. However, 
the next lemma holds even for infinite time: 

Lemma 77 The PTL implication □ I D □ Tj is valid. 

Proof The NL 1 -dependencies in I and Tj are identical. Furthermore, for the 
O-dependencies we make use of the valid PTL formula D(p = O q) D d(p = 
(qvOp)). □ 

We see from Lemma [77\ that the formula □ I D □ Tj is valid for both finite 
and infinite time. However if I contains O-dcpendencies, then the converse 
implication □ Tj D □ I is not necessarily valid for infinite time because the 
implication D(p = (q v Op)) D D(p = Oq) fails to be valid. We now discuss 
the principles which successfully correct for this. First of all, the following 
weakened implication concerning an individual O-dcpcndcncy is valid: 



Here we use the formula O q D p instead of the stronger equivalence p = O q. 
The following equivalence then strengthens the effect of d(p = (q v Op)) by 
adding the formula □ (p D O q) : 



In fact, we can even replace the conjunct d(p D Og) by the weaker formula 
□ 0(p D Oq) which adds a O: 



All three valid formulas only contain the propositional variables p and q and 
can consequently be readily checked for infinite-time validity by any computer 
implementation of a decision procedure for PTL with infinite time. 

Now suppose the ordered invariant / has m O-dcpendencies and hence 
m = \Lj\. If we have m pairs of propositional variables p±, q%, . . . , p m , q rn 
(corresponding to I's O-dependencies) then the following generalisation of the 



h a(p=(qvOp)) D D(Oq D p) 



n(p = (qyOp)) a n(p D Oq) . 



□ (pE(gvOp)) a DO(p D Oq) . 
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previous valid equivalence is itself valid: 

h □ A (p* = °«o 

l<fe<m 

= □ /\ (jp k = (q k vOp fc )) A DO f\ (p fc D Og fe ) . 
l<fc<m l<fc<m 

The left side of the equivalence corresponds to the invariant I[l : to]. Similarly, 
the first conjunct on the right side corresponds to T/[l : to] and the second one 
to Lj, except for the use of O instead of ®. 

Now within infinite time, □ O and □ 0+ have the same behaviour and in 
addition O and <8> act identically. We use this to obtain the next lemma which 
expresses I in terms of T/ and Lj: 

Lemma 78 The formula inf D (□/=(□ T/ a □ 0+ £/)) is valid. 

Theorem 79 An infinite-time invariant configuration D/aiba inf for the or- 
dered invariant I is semantically equivalent to the associated infinite-time tran- 
sition configuration DTj a W a □ 0+ Lj. 

Proof This readily follows from Lemma 1751 and simple temporal reasoning. □ 

The soundness of the reductions to the associated transition configurations 
ensures that we can use the decision procedure described in Sect. [5] 

11.2 Bounded Models for Basic Invariant Configurations 

The theorem given below gives the small model property for basic invariant 
configurations: 

Theorem 80 Suppose V is a finite set of variables and the variables in the 
ordered invariant I and the state formula w are all elements of V . Then the 
basic invariant configuration □ / a w is satisfiable iff it is satisfied by some 
some finite interval with interval length less than \Atomsv\ or by an infinite, 
ultimately periodic one consisting of an initial segment with interval length at 
most \ Atomsv\ fused with a remaining infinite periodic part with a period having 
interval length at most (\Li \ + 1) \Atomsy\- 

Proof Suppose □ I a w is satisfiable. We will consider the two cases of finite 
and infinite intervals separately: 

Case for finite intervals: Theorem 1761 ensures that the finite-time invariant 
configuration □ I a w a finite and its associated finite-time transition config- 
uration □ Tj a w a finite are semantically equivalent. The construction of Tj 
ensures that any variable occurring in it is a member of the set V. Lemma |38l 
therefore establishes that if the conjunction □ Tj a w a finite is satisfiable, 
then a satisfying interval exists having less interval length than \Atomsv\- This 
interval consequently also satisfies the basic invariant configuration □ I a w. 
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Case for infinite intervals: Theorem 1791 ensures that the infinite-time in- 
variant configuration □ / a w a inf and its associated infinite-time transition 
configuration □ Tj a w a □ + Lj are semantically equivalent. From Lemma E51 
we have that this second formula is satisfied by an infinite interval consisting of 
an initial segment having interval length less than |j4fomsy| fused with a peri- 
odic interval with period having interval length at most (|L/| + 1) |j4fomsy|. The 
overall ultimately periodic interval therefore also satisfies the formula □ I a w.\j 

11.3 Axiomatic Completeness for Invariant Configurations 

Theorem 81 Completeness holds for finite- and infinite-time invariant config- 
urations. 

Proof Suppose we have some invariant /. Assume without loss of generality 
that I is ordered since otherwise we can trivially rearrange its dependencies to 
obtain an ordered invariant which is both semantically and deducibly equiva- 
lent to I. Subsection 111.11 already described how to construct a semantically 
equivalent transition configuration from any finite-time or infinite-time invariant 
configuration associated with /. The various valid formulas mentioned there can 
be deduced as PTL theorems to establish that each such finite-time and infinite- 
time invariant configuration is also deducibly equivalent to the associated tran- 
sition configuration. This and the previously shown axiomatic completeness 
for finite-time and infinite-time transition configurations respectively proved in 
Theorems 1661 and 1671 ensure that any consistent finite-time or infinite-time in- 
variant configuration associated with / is satisfiablc. Hence, wc establish our 
immediate goal of completeness for finite- and infinite-time invariant configura- 
tions. □ 

Theorem 82 Completeness holds for basic invariant configurations. 

Proof Suppose we have some consistent basic invariant configuration □ J a w. 
Now the disjunction finite v inf is easily deduced as a propositional tautology 
since inf is defined to be ^finite (see Tabled . It is then straightforward to show 
using purely propositional reasoning that □ / a w is deducibly equivalent to the 
disjunction of its associated finite-time or infinite-time invariant configurations: 

h □ J a W = (□ J A W A finite) v (□ / a W a inf) . 

Hence at least one of the latter is also consistent. The previous Theorem 15*11 
ensures that any such consistent finite- or infinite-time invariant configuration 
is satisfiable as well. An interval which satisfies it can also serve as a model 
for the basic invariant configuration. This demonstrates the desired axiomatic 
completeness for all basic invariant configurations. □ 

12 Dealing with Arbitrary PTL Formulas 

So far we have only looked at bounded models and axiomatic completeness 
for certain kinds of PTL formulas. For an arbitrary PTL formula X, it is 
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X H{X) 



T r\ = T, for any NL 1 formula T. 
-Y H(Y) a (r\n(Y)\+i = ^ r \n(Y)\) 
Y v y' H(Y) a H(Y') t m a (r m+ „ + i = r m v r m+n ) , 
where m = and n = \H(Y')\. 

OY H(Y) a (r| W( y)| +1 = Or| W(y) |) 

Table 9: Definition of H(X) 



straightforward to construct an invariant I linearly bounded by the size of X 
and containing a finite number of dependent variables iti, U2, um not 
themselves occurring in X so as to mimic the semantics of X in the sense 
that X is satisfiable iff □ I a u\ji is satisfiable and in addition the implication 
□ I D (u\i\ = X) is valid. 

One possible translation will be detailed shortly. Before describing it, we 
need to discuss a convention for systematically renaming an invariant's depen- 
dent variables. Normally, the first dependent variable in an invariant / con- 
structed here from an PTL formula is r\ and the last is r\n. However, we 
inductively construct the invariants by combining smaller invariants into larger 
ones and often must alter the indices of the dependent variables to avoid clashes. 
A operator on formulas to suitably do this is now defined: 

Definition 83 (Shifting of Subscripts in Invariants) For any invariant I, 
the operation I f k is defined to be the invariant obtained by replacing Ux,. . . , 
u\i\ oyr 1+k ,..., r|j| +j fe, i.e., I Ul ,..., Ul n 

It is not hard to see that if Ps dependent variables are themselves the distinct 
variables r±, . . . , rm, then / f k shifts the subscripts of them so that each rj 
becomes rj + k- Therefore, the first dependent variable becomes ri + k instead of 
ri, the second becomes r2+k and so forth. In other words, 1 1 k denotes the 
same formula as the conjunction /\i<j<\i\( r j+k = (<Aj)«it— )• 

Without loss of generality, let X be a PTL formula which does not contain 
any of the variables ri, f2, . . .. Tablc^lcontains the definition of a function Tt(X) 
which translates X into an invariant containing some of the variables n, T"2, 
as dependent variables. In order to reduce the number of dependent variables, 
the first case is used whenever the formula is in NL even if one of the next two 
cases for negation and logical-or is applicable. 

Table contains a sample PTL formula Xo, an equivalent formula X' 
having no logical-ands, implications or □ constructs, and the invariant H.(Xq) 
and the initial condition r^x')\- We also include a version of Xq which shows 
how the dependencies correspond to the subformulas in Xq. 

It is straightforward to utilise more sophisticated methods which construct 
invariants directly from formulas with other logical operators such as logical- 
and and □. In addition, it is not hard to systematically produce invariants 
containing a lot fewer dependencies then the ones generated by Ti. In fact, 
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X : D((p D OOg) a O(npvOg)) 

X^: nOn^-,(n(n|,vOO ? ) V nO(n ? vO?))J 



X'q with 
dependent 
variables 
shown : -i O 



i( -. ( -•( ->p v O O g ) v n 0(nj, v Og) ) ) 



r2 

r-4 



ria 

1i(X' ): (n = -ip) a (r 2 = g) a (r 3 ee Or 2 ) a (r 4 = Or 3 ) 

a (r 5 ee (n v r 4 )) a (r 6 = ^r 5 ) a (r 7 ee (-.p v Og)) 
a (r 8 = Or 7 ) a (rg ee ^r 8 ) a (no ee (r 6 v r 9 )) 
a (ru ee -.rio) a (n 2 = tu) a (n 3 = On 2 ) 
a ee -ir 13 ) 



Table 10: Example of invariant obtained by applying Ti to a PTL formula 



52 



our prototype implementation of the decision procedure described in Sect. 00 
makes use of such techniques and others as well. Here is an invariant and initial 
formula produced by the decision procedure directly from the formula Xq: 

X : D((p D OOq) a O(npvOg)) 

I': (n = Oq) a (r 2 = Ori) a (r 3 = Oq) a (r 4 = 0(-<p v r 3 )) 

a (r 5 = 0-.((p D r 2 ) a r 4 )) 
im£' : -ifs 

We omit further details. 

It is easy to check that Tt(X) contains at most one dependent variable for 
each variable and operator in X so the total number of dependent variables in 
'H(X) is bounded by X's size and indeed the size of 'H(X) is linearly bounded 
by X's size. It is also easy to check by doing induction on X's syntactic struc- 
ture that X is satisfiable iff the basic invariant configuration □7i(X) a r^^x)] 
is satisfiable. Furthermore, the implication □7Y(X) D (f\n(X)\ — X) can be 
shown to be valid. Consequently, OTC(X) a rm(X)\ is used to represent X's 
behaviour (modulo the dependent variables which act as auxiliary ones). The 
bounded model for the invariant configuration (see Theorem I8(J[) satisfies X as 
well. The decision procedure described in Sect. |S] can be utilised to check the 
satisfiability of arbitrary PTL formulas by reducing them first to basic invariant 
configurations and then testing the associated finite-time and infinite-time tran- 
sition configurations (see till. If) . Axiomatic completeness for X readily reduces 
to that for the invariant configuration WH(X) a ri-ft(x)\- 

13 Some Additional Features 

This section describes a number of extensions to our approach. They include 
the temporal operator until and past-time constructs and also a subset of PITL 
called Fusion Logic (FL) which includes constructs of the sort found in Preposi- 
tional Dynamic Logic (PDL). In addition, the liveness tests found in conditional 
liveness formulas and invariants can be generalised to be of the form <3> T, where 
T is an NL 1 formula, rather than just a state formula. We will consider each of 
these issues in turn. For the sake of brevity, the presentation is briefer and less 
formal than in the previous sections. 

13.1 The Operator until 

The operator until is a binary operator with the syntax XUY, where X and 
Y are PTL formulas. Recall from Sect. 21 that for any interval a and natural 
number k which does not exceed er's interval length, o~k-.\a\ denotes the suffix 
subinterval obtained by deleting the first k states from a. Here is the semantics 
of until : 

(j^XUY iff 

for some k < |<x|, a~k:\cr\ \= Y an d for all j : < j < k, Cj.i^i \= X . 
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Observe that the operator O can be expressed in terms of until since O X is 
semantically equivalent to the formula true until X. 

Wc can alter the definition of invariants by replacing O-depcndcncics with 
dependencies of the form r = (wUw'), where w and w' arc state formulas. 
If the j-th dependency I[j] of an invariant I is such a dependency (called an 
until -dependency), then the corresponding conjunction Ti[j] in Fs transition 
formula Tf has the form r = (w' v (w A Or)). The associated conjunction Lj[j] 
in L] is r D <B>w'. It is not hard to modify the material in Sect. ^2 to ensure 
that finite-time and infinite-time invariant configurations remain semantically 
equivalent to the associated transition configurations. 

Alternatively, we can transform an invariant with until in it to one without 
it. Each dependency in I of the form Uk = (to until w') is replaced by the 
dependency Uk = (u' k a («/ v (w a Ouk))), where u' k is a new dependent 
variable with the associated dependency u' k = Ow'. This approach is more 
hierarchical than the first one but increases the number of dependencies used. 

13.2 Past Time 

Let us now consider PTL with a bounded past. The syntax is modified to include 
the two additional primitive operators QX (read previous X) and <$> X (read 
once X). The set of PTL formulas including past-time constructs is denoted 
as PTL P . The semantics of a PTL formula X is now expressed as (er, k) \= X 
where k is any natural number not exceeding |er|. For example, the semantics 
of and O are as follows: 

(a, k) \= X iff k> and (a,k-l)\=X 

(a, k)\=0X iff for some j : < j < k, (er, j) \= X . 

We define the operator B X (read so-far X) as -i <$> -^X and the operator X 
(read weak previous X) as -> ->X. The operator first is defined to be ^ true 
and tests for the first state of an interval. A past-time version of until called 
since can also be included but we omit the details. 

A PTL P formula X is defined to satisfiable iff (er, k) \= X holds for some pair 
(er, k) with k < |er|. The formula X is valid iff (er, k) \= X holds for every pair 
(er, k) with k < |er|. Note that these straightforward definitions of satisfiability 
and validity correspond to the so-called floating framework of PTL with past 
time. However, Manna and Pnucli propose another interesting approach called 
the anchored framework [45] (also discussed in [43]) which they argue is superior. 
In this framework, satisfiability and validity only examine pairs of the form 
(er, 0). There exist ways to go between the two conventions but we will not 
delve into this here and instead simply assume the more traditional floating 
interpretation. 

We now define an analogue of the set of formulas NL: 

Definition 84 (Previous Logic) The set of PTL formulas in which the only 
primitive temporal operator is © is called Previous Logic (PrcvLj. The subset 
of PrevL with no © nested in another © is denoted as PrevL 1 . 
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We let the variables Z and Z' denote formulas in PrevL 1 . Also, PrevLy denotes 
the set of all formulas in PrevL 1 only having variables in V. 

The following definitions extend the notation of transition configurations to 
deal with past time: 

Definition 85 (Past-Time Transition Configurations) A past-time tran- 
sition configuration is any formula of the form HQ(T a Z) a X , where T is in 
NL V , Z is in PrevLy, and the formula X is in PTLy and is in one of the two 
categories shown below: 

Type of configuration Syntax of X 

Finite-time w a finite 

Infinite-time w a □ + L 

Here w is a state formula in PROPy and L is a conditional liveness formula in 

PTLy. 

The formula BD(T a Z) contains both B and □ to ensure that both T and Z 
are true everywhere in the interval. 

The analysis of a finite-time or infinite-time past-time transition configu- 
rations can be easily reduced to reasoning in PTL without past time. Let us 
demonstrate this by first examining how to test the satisfiability of a finite-time 
past-time transition configuration BB(T a Z) a w a finite. This involves finding 
an interval a and natural number k < \o~\, such that (a, k) \= BB(T a Z) a w a 
finite holds. Note that this past-time transition configuration is satisfiable iff 
the following formula, which shifts reasoning back to an interval's starting state, 
is satisfiable: 

<8>(D(T a Z) a first a O w a finite) . (24) 

Here we can dispense with the operator B since BB and □ have the same 
semantics at the starting state. 

Now for any PTL P formula X, the formula Q X is satisfiable iff X is satisfi- 
able. Hence, the formula (|24|l is satisfiable iff its subformula D(T a Z) a first a 
O w a finite is satisfiable. Let us now define the NLy formula T' by replacing 
each construct in Z by its operand and by taking each state formula in Z 
which does not occur in and enclosing it in O. For example, if Z is the formula 
p v ©(9 a r), then T' is {Op) v (q a r). Furthermore, let w' be the state formula 
in PROPy obtained from Z by replacing each © construct by false. In our 
example, w' is p v false. It can be readily checked that the following formula 
relating Z and T" is true at any interval's initial state: O Z = ST' aw'. There- 
fore, the original finite-time past-time transition configuration is satisfiable iff 
the following formula in PTL without past time is satisfiable: 

B(T a (more D T )) a w a O w a finite . (25) 

This is still not a well-formed finite-time transition configuration due to the 
presence of the formula Ow. However, Oic can be reduced by introducing a 
new propositional variable r as shown in the next formula: 

B(T a (more D T') a (r = (w v Or))) a w' a r a finite . (26) 
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The reduction of the original past-time transition configuration BD(T a Z) a 
w a finite to the finite-time transition configuration 1|26|) systematically relates 
all aspects of the analysis of the past-time transition configuration to the purely 
future-only reasoning presented earlier. This includes bounded models, decision 
procedures and axiomatic completeness. 

An alternative way to reduce the PTL formula (|25|l involves interval-based 
reasoning. We first re-express the formula in PTL as the next semantically 
equivalent conjunction: 

H(T a {more D T')) a w' a Ow a sfin T . (27) 

This makes use of the valid PTL equivalence (□ X a finite) = (H X a sfin X), 
for any PTL formula X. However, in our case we can omit the subformula 
more D T' in the sfin construct since the operator more ensures that it is 
trivially true in the associated empty interval. Let T" denote the subformula 
T a (more D T'). Theorem 1111 ensures the semantic equivalence of H T" and 
(%T")* . Now the formula (|2*7|l can in turn be itself re-expressed as the following 
chop-formula: 

((T"Y aw' a finite); ((T")* a w a sfin T) . (28) 

Let w" denote a state formula obtained by replacing every O construct in T 
by false. Consequently, w" is true exactly in states for which T a empty is 
true. It follows that we can test for satisfiability of formula (|28|l by adapting 
the symbolic methods mentioned in Sect.|H|to solve for V-atoms a, f3 and 7 for 
which the following formulas are satisfiable: 

a a w ($ T")* a a a sfin [3 (3 aw' ($ T")* a (3 a sfin 7 7 a w" . 

Further details are omitted here. 

The treatment for a infinite-time past-time transition configuration is nearly 
identical to that for a finite-time one since the assumption of a bounded past 
still applies and avoids the need for a past-time conditional liveness formula. 
First of all, we replace the subformula finite by □ 0+ L. 

□ (T a T') a w' a O w a □ + L . 

The use of infinite time ensures we can omit the instance of more found in the 
finite-time formulas Ij25(l and l|26(l since T and more D T are semantically equiv- 
alent on an infinite interval. The formula O w is itself reduced by introducing 
a new propositional variable r and conjoining a new implication to L to obtain 
the well-formed infinite-time transition configuration below: 

□ (T a T') a w' a r a □ 0+(L a (r D <8> w)) . 

So far we have only considered finite- and infinite-time transition configura- 
tions. Invariants (and hence also invariant configurations) can be extended to 
support past-time reasoning by adding two new kinds of dependencies. The first 
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has the form u = Z and the second has the form u = <$> w. The use of <$> does not 
involve Ps conditional liveness formula Lj due to the assumption of a bounded 
past. The definitions of invariant configurations remain the same and the re- 
duction of them to past-time transition configurations is straightforward since 
no dependency contains both future- and past-time temporal constructs. Fur- 
thermore, dependencies containing the temporal operator since (a conventional 
past-time analogue of the operator until ) arc not much harder to handle than 
^-dependencies. The reduction of an arbitrary PTL P formula to an invariant 
with past time is also straightforward. 

13.3 Generalised Conditional Liveness Formulas and In- 
variants 

Conditional liveness formulas and invariants require that any operand of and 
0, respectively, is a state formula. We can slightly relax this requirement and 
permit arbitrary formulas in NL 1 . This makes invariants more succinct since a 
formula such as sfin w can now be expressed using only one dependency such 
as Uk = 0(empty a w) instead of requiring two. The formula □ + w can 
be expressed with the invariant Uk = 0(w a Oiik). The overall analysis of 
such invariants only differs slightly from that for the basic version of invariants. 
Invariants with until -dependencies (see i!13.I[) can be analogously generalised 
to permit until -dependencies of the form = (TU T'), where both T and T' 
are in NL 1 . 

Transition configurations containing generalised liveness formulas might be 
of use as a notation for representing deterministic and nondeterministic uj- 
automata in temporal logic. However, we need to employ Quantified PTL 
(QPTL) to existcntially quantify over the variables which collectively encode 
such an automaton's internal state. Further details of this are omitted here. 

13.4 Fusion Logic 

Regular expressions are a standard notation for representing regular languages. 
However, within PITL, it is more appropriate to use languages based on the fu- 
sion operator rather than conventional concatenation. This involves a variation 
of regular expressions called here fusion expressions. We now define a PITL- 
based representation of them which is in fact a special subset of PITL formulas. 
This subset will then provide the basis for a generalisation of PTL called Fusion 
Logic (FL) which is also itself a subset of PITL. We originally used Fusion Logic 
in [57] as a kind of intermediate logic when we reduced the problem of show- 
ing axiomatic completeness of Propositional Interval Temporal Logic (PITL) 
with finite time to showing axiomatic completeness for PTL. Fusion Logic is 
closely related to Propositional Dynamic Logic (PDL) [21,22,30-32,39]. A ma- 
jor reason for discussing Fusion Logic here is because it is not hard to extend 
our decision procedure for PTL with finite time to also handle more expressive 
interval-oriented FL formulas by simply reducing FL formulas to lower level 
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PTL formulas of the kinds already discussed. This demonstrates another link 
between PTL and intervals and has practical applications. 

Definition 86 (Fusion Expression Formulas) The set of fusion expression 
formulas, denoted FE, consists of PITL formulas with the syntax given below, 
where w is a state formula, T is in NL 1 and E and F themselves denote FE 
formulas: 

w? EvF $T E;F E* . 

The syntax of FE formulas is like that of programs in Propositional Dynamic 
Logic without rich tests. However FE has a semantics based on sequences of 
states rather than binary relations. 

For any set of variables V , let FEy denote the set o/FE formulas containing 
only variables in V . 

Unlike letters in conventional regular expressions, any nonmodal formula can 
be used in w7. For example, false! is permitted even though it is unsatisfiable. 
Consider the following FE formula: 

(($Op);(g?))v 

This is true on an interval if either the interval has exactly two states and p and 
q are both true in the second state or it has some arbitrary number of states, 
say k, with q false in each of the first k — 1 states. 

Remark 87 (Expressing concatenation) It is important to note that the 
conventional concatenation of two FE formulas E and F can be achieved through 
the use of the FE formula E\ ($ true); F . Here $ true is itself an FE formula 
which is an alternative way to express the PTL operator skip. This temporal 
operation on E and F is sometimes called "chomp", since it is a slight varia- 
tion of chop. Hence, in the context of temporal logic, FE formulas can largely 
subsume regular expressions although there are slightly different conventions for 
such things as empty words. We omit the details. 

We now present the sublogic of PITL called here Fusion Logic. In essence, 
Fusion Logic augments conventional PTL with the fusion expression formulas 
already introduced. 

Definition 88 (Fusion Logic) Here is the syntax of FL where p is any propo- 
sitional variable, E is any FE formula and X and Y are themselves formulas 
in FL: 

p -nX XvY OX OX (E)X. 

We define the new construct (E)X (called "FL-chop"J and its dual [E]X (called 
"FL-yiclds "J using the primitive PITL constructs chop and ->: 

(E)X = E;X [E]X = -,(E)-JC. 
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Within an FL formula, O, O and FL-chop are treated as primitive constructs. 
Unlike PITL, FL limits the left sides of chop to being FE formulas. 

In [57], we described an earlier version of FL having skip as a primitive FE 
formula instead of $ T. As we noted earlier in Rcmark|S7| the PTL formula skip 
can be expressed in FE as $ true. The two versions of FL can readily be shown to 
be equally expressive since $ T can be replaced with a semantically equivalent 
disjunction of formulas by using of ?, skip and chop. For example, the FE 
formula $(p D Oq) is semantically equivalent to the FE formula ((-ip)?; skip) v 
(skip;q?). In practice, the version described here is much more natural and 
succinct. 

Henriksen and Thiagarajan [33,34] investigate a formalism related to Wolper's 
ETL [70,72] and called Dynamic Linear Time Temporal Logic which combines 
PTL and PDL in a linear-time framework with infinite time. It is similar to our 
Fusion Logic and uses multiple atomic programs instead of the FE operators ? 
and $. 

Remark 89 The temporal operators O and O which are primitives in FL can 
actually be expressed as instances ofFJj-chop if finite time is assumed: 

\^ OX = (§true)X \= O X = (($ true)*)X. 

In spite of FL being a proper subset of PITL, they have the same expressive- 
ness. This is discussed in [57], where a hierarchical reduction of FL formulas to 
PTL formulas is also given but is limited to dealing with finite-time intervals. 
This reduction provides the basis of a decision procedure for FL with finite-time. 
We plan to describe in future work a hierarchical reduction to transition con- 
figurations (also restricted to finite-time). Such transition configurations can 
then be tested with the decision procedure described in Sect. |H1 Like the first 
reduction in [57], this reduction can also be used for proving the completeness 
of an axiom system for FL with finite time. 

14 Discussion 

We conclude with a look at some issues connected with PTL and FL. 

As noted earlier, a number of PTL decision procedures are tableau-based 
algorithms. These include ones described by Wolper [73], Emerson [20] and 
Lichtenstein and Pnucli [43]. It appears that with some care a tableau-based 
approach can be hierarchically reduced to our framework. Wc hope to look into 
this in more detail in the future. 

The BDD-based techniques described in Sect. |H1 can be adapted to check in 
real time that an executing system is not violating assertions expressed in PTL 
or FL as it runs. Whether FL in particular is useful for this in practice is unclear. 
In addition, it would appear that the reachability analysis necessary for our 
approach to work can, as with Bounded Model Checking (BMC) [13], employ 
SAT-based techniques for PTL and FL instead of BDDs. However, such a 
SAT-based approach, unlike the BDD-based one, normally cannot exhaustively 
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test for unsatisfiability because in BMC there is no notion corresponding to 
convergence of BDDs to the set of all atoms reachable from some starting one. 
Rather BMC works by employing SAT to find at most a single solution not 
exceeding some predetermined maximum bounded length which for practical 
reasons is generally much less than the worst-case bounds derived from formula 
syntax. If a solution is not found, this is typically not by itself sufficient to 
exclude the existence of larger satisfying intervals. 

We have used versions of invariants, transition formulas and conditional 
liveness formulas to analyse Propositional Dynamic Logic (PDL) without the 
need for Fischer-Ladner closures. Indeed, this was the original motivation for 
conditional liveness formulas. However, at present the benefits and novelty of 
utilising our approach for PDL arc less compelling than for PTL. 
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